What is a Covered Entity Under HIPAA?Danielle Kelvas, MD
When in doubt, anyone or any company that handles protected health information (PHI) should be aware and well-informed of the HIPAA privacy rule. That said, HIPAA technically only applies to covered entities and isn’t necessarily legally binding to all persons or institutions collecting PHI. While that may feel confusing, this article has summarized a few lists to help clear the haze.
What is a Covered Entity?
A covered entity is an individual, organization, or agency that collects and processes PHI. They must transmit information via electronic means under the Department of Health & Human Services (HHS) standards.
Examples include all staff, healthcare providers, and institutions such as:1,5
- Physician Assistants
- Nurse Practitioners
- Nurse assistants
- Academic medical centers
- Nursing homes
- Pharmacies and pharmacists
- Rehabilitation centers
- Palliative care
- Anything that participates in the maintenance, prevention, diagnosis, therapy, or treatment of an individual affects the body’s structure or function.
- Any company that sells or dispenses drugs, devices, or equipment.
Additionally, an entity includes types of health plans such as insurance, Medicare, Medicaid, veterans health care programs, those on the Indian reservations, and health maintenance organizations (HMOs).1
Those doing medical research qualify as an entity if they are healthcare providers who electronically transmit PHI in any way for which HHS has adopted a standard. This includes doctors who run clinical trials.5
A covered entity also includes medical clearinghouses. According to the National Institute of Standards and Technology (NIST), this is defined as a public or private entity that processes or facilitates the processing of PHI from a standard format into a nonstandard format and vice versa. Examples include repricing companies, community health management systems, and value-added networks and switches, to name a few.2
This is essentially the middleman between providers and insurance. They can check medical claims for errors so they can be processed correctly, quickly, and efficiently. This tends to be easily confused with clearinghouses that facilitate the exchange of payments, like between banks, which falls under the business associate category.4
What is a Business Associate?
Due to the complexity of processing electronic health records, most all organizations outsource things to third parties. The HIPAA Privacy Rule allows entities to share PHI with downstream business associates. However, they are all still bound by all HIPAA regulations and must sign a contract.
A few examples of a business associate include:3
- Claims processing or administration
- Data analysis
- Utilization review
- Quality assurance
- Benefit management
- Practice management
- Attorneys and legal assistants
- CPAs and any accounting services
- Data aggregation
- Scribes and medical transcriptionists
Entities are only allowed to share PHI with business associates if:3
- They sign a contract and provide ample assurances that the PHI will only be used for the purposes for which the entity hired them in the first place. For example, it cannot be sold or used for any other research or marketing purposes.
- Commit to safeguarding the PHI from misuse or hackers, and demonstrate how they will do so.
- Assist the entity in complying with all HIPAA rules and regulations.
- The business associate cannot use the PHI for any independent reason, only as needed to assist the entity.
Despite all of these rules, there are always a few exceptions to needing to sign a contract. For example, if a patient is admitted, treated, and discharged from a hospital and referred to a specialist in clinic 1-2 weeks later, the hospital and outside provider do not need to sign a business associate contract.3
If a physician or hospital orders labs on a patient, they are exempt from needing a contract with the laboratory company. That said, the entity (hospital) and business associate (outside physician and labs) are still bound by HIPAA regulations.3
What is a Hybrid Entity?
To help define some more terms, there is also such a thing as a hybrid entity. This is an entity that has healthcare functions and non-PHI operations. For example, this would include a medical school. They have ties with local hospitals as an academic centers, for which medical students and doctors work, rotate, and study. Still, the school also has a separate university side, which functions as a business.5
If research is performed at the medical school by a physician who works as an associate professor part-time and in the hospital part-time, he or she is an entity at the hospital but not so at the university, provided his or her research does not directly involve PHI via electronic methods.5
According to the National Institutes of Health, the formal definition of a hybrid entity is “ A single legal entity that is a covered entity performs business activities that include both covered and noncovered functions and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components.”5
- Covered Entities and Business Associates. HHS.gov. Last updated June 16, 2017. Retrieved Jan 5, 2023, from https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.
- Healthcare clearinghouse. National Institute of Standards and Technology, U.S. Department of Commerce. Retrieved Jan 5, 2023, from https://csrc.nist.gov/glossary/term/Healthcare_Clearinghouse.
- Business Associates. HHs.gov. Last Updated April 3, 2033. Retrieved Jan 5, 2023, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
- Healthcare Clearinghouse: What it is and how it can help. Smart Data Solutions. Posted Sept 9, 2020. Retrieved Jan 5, 2023, from https://sdata.us/2020/09/09/what-is-a-healthcare-clearinghouse.
- To Whom does the privacy rule apply, and to whom will it affect? National Institute of Health. Last updated Feb 2, 2017. Retrieved Jan 5, 2023, from https://privacyruleandresearch.nih.gov/pr_06.asp.