What is a HIPAA covered entity?

To be HIPAA compliant, there are certain rules and regulations. HIPAA covered entities are those who must comply, and they can be a person, institution or organization. Currently, there are three categories of covered entities:

• Health plans

These entities include health insurance companies; HMOs, or Health Maintenance Organizations; employer-sponsored health plans; and government programs that pay for healthcare. This includes Medicare, Medicaid, veterans' and military health programs.

• Health care clearinghouses

These are organizations who process nonstandard health information and transpose it to data content or formatting standards for other organizations.

• Health care providers

Any entity submitting HIPAA-related transactions fall under this umbrella. This includes electronic claims, prescriptions, etc. Doctors; pharmacists; dentists; chiropractors; nursing homes; pharmacies and clinics are all examples of active healthcare providers.

While there are only three covered entities, if any one of these entities use the services of a business associate who used protected health information, they must also comply with HIPAA privacy standards.

What is considered a Business Associate?

This is a person or entity performing functions or activities regulated by HIPAA Administration Simplification Rules that involve using or disclosing protected health information for a covered entity. In these cases, a Business Associate Agreement (BAA) will be required.

What is a Business Associate Agreement?

A BAA is a written contract between a covered entity and business associate required for HIPAA compliance. There are at least 10 provisions that must be covered in this contract. Third party administrators are not considered covered entities but may be considered a business associate.

Employers may or may not be a covered entity. If they have specific wellness programs; employee assistance programs; medical reimbursement accounts; self-funded or administered health insurance benefits for employees or have an onsite clinic, they will be considered a covered entity.

If you have questions on whether your organization is a covered entity or business associate, it would be best to use the Covered Entity Guidance tool to help make the final decision.