What is a HIPAA-Covered Entity?

The term “HIPAA Covered Entity” was not actually in the original Healthcare Insurance Portability and Accountability Act when it was originally enacted in August 1996. The term first appeared in the HHR´s proposed HIPAA Privacy Rule when the Rule was released for public comments in November 1999 and subsequently published after amendments had been made in December 2000.

The HIPAA Privacy Rule evolved from the “Administrative Simplification Rule” of the original legislation. This Rule required the Secretary of the Department of Health & Human Services to develop a set of national standards for the protection of certain health information. These standards defined what health information was to be protected and who was responsible for protecting it – Covered Entities.

HIPAA Covered Entity Definition

At first glance, the HIPAA Covered Entity definition appears straightforward. The Privacy Rule defines a Covered HIPAA Entity as any health plan or any healthcare clearinghouse, or any healthcare provider who transmits Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in electronic form.

However, reading deeper into the HIPAA Covered Entity definition uncovers a few gray areas. For example insurance companies providing workers´ compensation are not regarded as health plans, despite the fact they will be in receipt of personally identifiable information – usually consider to be protected – in the process of settling workers´ compensation claims.

A further gray area exists around the definition of a healthcare clearinghouse – which, in most instances only receives PHI when it is providing processing services to a health plan or healthcare provider. This would make a healthcare clearinghouse a Business Associate (see “HIPAA Covered Entity vs Business Associate) rather than a Covered HIPAA Entity under the HIPAA Covered Entity definition.

Is an Employer a HIPAA Covered Entity?

One would think if a healthcare clearinghouse qualifies as a Covered Entity under HIPAA, an employer must do as well. An employer – particularly an employer´s HR department – receives lots of personally identifiable information that is classified as protected; but even when an employer sponsors a self-insured group health plan, the answer to “Is an employer a HIPAA Covered Entity?” is generally “No”.

The reason for this is because a self-insured group health plan is considered to be a separate legal entity from the sponsoring employer. Therefore it is the group health plan and not the employer that is the Covered Entity under HIPAA – unless the employer also administers the group health plan and it has more than fifty participants. (This scenario rarely occurs. Large plans are usually administered by a third party who acts as a Business Associate to the group health plan).

However, because PHI is shared with an employer in the execution of administrative functions on behalf of the group plan, certain conditions exist about the use and disclosure of the information. Among these conditions is that the information shared with the employer will remain protected (as per the HIPAA Privacy Rule) and not used-for employment-related actions. In effect, employers – although not Covered Entities – are bound by the same rules as a Covered HIPAA Entity in certain circumstances.

HIPAA Covered Entity Examples

In order to provide HIPAA Covered Entity examples, we have used the examples provided by the Department of Health & Human Services. These examples are not exhaustive and are subject to change. Any organization that does not appear among the following HIPAA Covered Entity examples, but believes they may be subject to HIPAA, should read the section at the end of the this article entitled “Is Your Organization a Covered HIPAA Entity?”

HIPAA Covered Entity Examples: Health Plans

HIPAA-covered health plans are mostly plans that insure against the cost of health treatment, dental treatment, vision treatment or prescription drugs. Other HIPAA Covered Entity examples within the health plan category include health maintenance organizations (“HMOs”), long-term healthcare insurers (excluding nursing home fixed-indemnity policies) and – as mentioned above – employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.

HIPAA Covered Entity Examples: Healthcare Clearinghouses

In medical billing, healthcare clearinghouses receive claims information from healthcare providers, check the claims for errors, and verify the format of each claim is compatible with the payer´s software. Healthcare clearinghouses, repricing companies, and community health management information systems are classified as HIPAA Covered Entity examples as their sole roles are PHI-related – an important point to note before discussing “HIPAA Covered Entity vs Business Associate” below.

HIPAA Covered Entity Examples: Healthcare Providers

The HIPAA Covered Entity definition of a healthcare provider has not changed since 1999 despite the healthcare industry evolving substantially. Therefore HIPAA Covered Entity examples of healthcare providers remains “providers who submit HIPAA transactions electronically” – electronic transactions including claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Privacy or Security Rule.

HIPAA Covered Entity vs Business Associate

There have been several references to date in this article relating to Business Associates, and it is important to note how the definitions of a HIPAA Covered Entity vs Business Associate differ. It was noted above that a healthcare clearinghouse is classified as a HIPAA Covered Entity because its sole role is PHI-related. By comparison a Business Associate is an entity whose primary role is unrelated to PHI, but who has access to it in the provision of a service performed on behalf of a Covered HIPAA Entity.

Since the publication of the Final Omnibus Rule in 2013, Business Associates are equally as responsible for the security of any PHI they encounter as a Covered Entity under HIPAA. Before sharing PHI with a Business Associate, a Covered Entity should perform due diligence on the service provider and obtain a signed Business Associate Agreement setting out the permissible uses of the PHI; but even without an Agreement in place, Business Associates can still be penalized if they are responsible for a breach of PHI.

A similarity in a HIPAA Covered Entity vs Business Associate comparison is, if a Business Associate subcontracts services that involves an electronic exchange of PHI, the Business Associate also has to conduct due diligence on the subcontractor. The Business Associate has to ensure the subcontractor complies with the Privacy and Security Rules and sign a Business Associate Agreement with the subcontractor, who then takes responsibility if a breach of PHI occurs.

When a Covered Entity under HIPAA Works for another Covered HIPAA Entity

One particularly complicated area of HIPAA legislation is the different scenarios that occur when a Covered Entity under HIPAA works for – or provides a service for – another Covered HIPAA Entity. Under the HIPAA Privacy Rule there is no need for a Covered Entity to sign a Business Associate Agreement with another Covered Entity when PHI is being shared for treatment purposes – for example if a radiologist interprets diagnostic images on behalf of a local physician.

However, if a hospital (Covered Entity A) enlisted the services of another hospital (Covered Entity B) to assist with the training of medical students, it would be necessary for a Business Associate Agreement to be signed before Covered Entity A could disclose PHI to Covered Entity B. Similarly, if a healthcare clearinghouse was unable to format a claim so it is compatible with a payer´s software, it would have to sign a Business Associate Agreement with a healthcare clearinghouse that was able to format the claim.

It is important to add at this point that an employee of a Covered HIPAA Entity is neither a Covered Entity under HIPAA nor a Business Associate. According to the American Hospitals Association: “Any person(s) whose conduct, in the performance of work for a Covered Entity, is under the direct control of such entity, whether they are paid by the Covered Entity or not”. This definition includes not only employees, but also agency nurses, temporary workers and volunteers.

Is Your Organization a Covered HIPAA Entity?

Due to the many gray areas relating to HIPAA and Covered Entities, the Centers for Medicare & Medicaid Services have compiled an interactive tool that can help organization determine whether or not they are a Covered HIPAA Entity. Alternatively, for further information about HIPAA compliance,  read this comprehensive guide to HIPAA, for more details about HIPAA’s objectives, and the Privacy, Security and Breach Notification Rules.