The HIPAA Covered Entities Guide
The expansion of mobile computing and electronic transaction processing in the healthcare industry has created an enormous opportunity to improve health outcomes, while at the same time reducing costs. To take advantage of this opportunity, those entities dealing with sensitive information or with some degree of influence on healthcare decisions (“covered entities”) must comply with a variety of privacy and security regulations.
The U.S. Department of Health and Human Services, in coordination with other federal agencies, has created a set of regulations that govern the use and protection of privacy and security information under the HIPAA (Health Information Portability and Accountability Act) Security Rule. The Security Rule is important because it provides guidance to covered entities on how they should handle PHI (Protected Health Information).
Today, we’re going to talk about what HIPAA means by “covered entities”. Then we’re going to take a look at the types of covered entities.
What are Covered Entities?
The HIPAA Security Rule defines covered entities as follows:
A covered entity is any person who creates, receives, maintains or transmits health information in electronic form in connection with a transaction. A covered entity may be an individual, such as a physician or other healthcare provider, who transmits protected health information for treatment purposes.
But what does it mean to be a “person” in this context? The Security Rule is pretty clear on this point. As long as the covered entity meets one of the following criteria, that person is not a covered entity:
- A government agency.
- Some types of business entities that do not create, receive, maintain or transmit PHI is defined as “business associates.” A business associate is generally defined by what they do for the covered entity: being hired to perform certain functions and provide certain services.
The following types of entities are not covered entities:
- An individual who is a member of the immediate family of a covered entity and who receives protected health information from a covered entity only for the individual’s own health care or remits such information to a third party for the individual’s own health care;
- State or local government agencies that do not maintain PHI in electronic form; and
- Health plan enrollees who do not have access to electronically protected health information.
Types of Entities Covered Under HIPAA
The HIPAA Security Rule defines three types of covered entities: “covered health care provider”, “health plan” and “health care clearinghouse.” Today, we’re going to talk about what the Security Rule has to say about covered health care providers.
Covered Health Care Provider
Covered healthcare providers are those organizations (e.g., healthcare providers, physicians, etc.) that transmit PHI electronically in connection with a transaction. For example, a covered healthcare provider may transmit data to a pharmacy benefits manager in connection with the processing of a prescription.
Not all healthcare providers have covered entities under HIPAA. Only those organizations that create, receive, maintain or transmit PHI electronically in connection with a transaction are covered entities.
Health plans are those organizations that offer or administer health benefit plans. The Security Rule does not differentiate between different types of health plans (e.g., insured or self-funded). All health plans are covered entities regardless of whether they are a PPO, HMO, Medicare or Medicaid plan.
For example, a plan administrator that runs a Medicare Part D prescription drug plan for certain covered employees would be a covered health plan. Conversely, an individual enrolled in a Medicare HMO who uses an independent contractor pharmacy where the pharmacist is paid a salary rather than an hourly wage would not be considered a covered health care provider because the individual is not involved in the creation of, the transmission of or use for treatment purposes of PHI.
Healthcare clearinghouses provide medical data to other healthcare providers for the purpose of verifying the eligibility for or enrollment in a health plan. The Security Rule does not require covered entities to use a particular entity as a clearinghouse. It simply requires that there be a mechanism by which protected health information is transmitted between healthcare providers.
What is a Business Associate?
A business associate is a person or organization (e.g., pharmacy benefits manager) that performs certain functions or activities on behalf of a covered entity and uses or discloses protected health information in connection with its performance of the function.
A business associate is not subject to all the requirements of the HIPAA Security Rule but he must comply with all applicable “minimum necessary” requirements. For example, if a pharmacy benefits manager performs services for a physician to help the physician bill insurance companies, it would be considered a business associate.