The HIPAA Covered Entity definition seems quite simplistic. The Privacy Rule defines a Covered HIPAA Entity a health plan or healthcare clearinghouse, or any healthcare provider who sendss Protected Health Information (or PHI as per the standards created by the Department of Health & Human Services) in electronic form.
However, reading deeper into the HIPAA Covered Entity definition uncovers a few unclear areas. For instance insurance companies providing workers’ compensation are not regarded as health plans, despite the fact they will be in receipt of personally identifiable information – usually thought of as to be protected – in the process of settling workers´ compensation claims.
A further unclear area exists around the definition of a healthcare clearinghouse – which, in most cases only receives PHI when it is providing processing services to a health plan or healthcare provider. This would make a healthcare clearinghouse a Business Associate (see “HIPAA Covered Entity vs Business Associate) instead of a Covered HIPAA Entity under the HIPAA Covered Entity definition.
Are Employers HIPAA Covered Entities?
One would think if a healthcare clearinghouse is defined as a Covered Entity under HIPAA, an employer must also. An employer – particularly an employer´s HR department – receives lots of personally identifiable information that is classified as protected; but even when an employer funds a self-insured group health plan, the answer to “Is an employer a HIPAA Covered Entity?” is usually “No”.
The reason for this is because a self-insured group health plan is thought of as a separate legal entity from the funding employer. Therefore it is the group health plan and not the employer that is the Covered Entity under HIPAA – unless the employer also manages the group health plan and it has more than fifty participants. (This scenario rarely happens. Large plans are usually managed by a third party who acts as a Business Associate to the group health plan).
However, because PHI is given to an employer in the execution of administrative functions on behalf of the group plan, certain conditions are in place about the use and disclosure of the information. Among these conditions is that the data shared with the employer will remain secured (as per the HIPAA Privacy Rule) and not used-for employment-related actions. In essence, employers – although not Covered Entities – are governed by the same rules as a Covered HIPAA Entity in certain circumstances.
Examples of IPAA Covered Entities
We have included the examples provided by the Department of Health & Human Services. These examples are not complex and are subject to change.
HIPAA-covered health plans are mostly plans that insure against the expense of health treatment, dental treatment, vision treatment or prescription drugs. Other HIPAA Covered Entity examples within the health plan category are health maintenance organizations (“HMOs”), long-term health insurers (excluding nursing home fixed-indemnity policies) and – as mentioned previously – employer-sponsored group health plans, government and church-funded health plans, and multi-employer health plans.
In medical billing, healthcare clearinghouses are sent claims information from healthcare providers, check the claims for mistakes, and verify the format of each claim is compatible with the payer´s software. Healthcare clearinghouses, repricing firm, and community health management information systems are classed as HIPAA Covered Entity examples as their sole roles are PHI-related – an important point to note before talking about “HIPAA Covered Entity vs Business Associate” below.
The HIPAA Covered Entity definition of a healthcare provider has not been amended since 1999 despite the healthcare sector evolving substantially. Therefore HIPAA Covered Entity examples of healthcare supplier remains “providers who submit HIPAA transactions electronically” – electronic transactions such as claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has developed standards under the HIPAA Privacy or Security Rule.
HIPAA Covered Entity vs Business Associate
There have been many references to date in this article about Business Associates, and it is important to note how the definitions of a HIPAA Covered Entity vs Business Associate differ. It was remarked above that a healthcare clearinghouse is classified as a HIPAA Covered Entity because its sole role is PHI-related. By comparison a Business Associate is an entity whose main role is unrelated to PHI, but who has access to it in the provision of a service carried out on behalf of a Covered HIPAA Entity.
Since the publication of the Final Omnibus Rule in 2013, Business Associates are just as responsible for the security of any PHI they encounter as a Covered Entity under HIPAA. Before sending PHI to a Business Associate, a Covered Entity should complete due diligence on the service provider and obtain a signed Business Associate Agreement stating out the permissible uses of the PHI; but even without an Agreement in place, Business Associates can still be penalized if they are to blame for a breach of PHI.
A similarity in a HIPAA Covered Entity vs Business Associate comparison is, if a Business Associate subcontracts duties that includes an electronic exchange of PHI, the Business Associate also has to conduct due diligence on the subcontractor. The Business Associate has to ensure the subcontractor adheres with the Privacy and Security Rules and sign a Business Associate Agreement with the subcontractor, who then takes responsibility if a breach of PHI happens.
When a Covered Entity Governed by HIPAA Works for another Covered HIPAA Entity
One particularly complex area of HIPAA legislation is the different cases that occur when a Covered Entity under HIPAA works for – or provides a service for – another Covered HIPAA Entity. Under the HIPAA Privacy Rule there is no requirement for a Covered Entity to sign a Business Associate Agreement with another Covered Entity when PHI is being shared for treatment purposes – for instance if a radiologist interprets diagnostic images on behalf of a local physician.
However, if a hospital (Covered Entity A) used the services of another hospital (Covered Entity B) to assist with the training of medical students, it would be a requirement for a Business Associate Agreement to be completed before Covered Entity A could disclose PHI to Covered Entity B. Similarly, if a healthcare clearinghouse was not able to format a claim so it is compatible with a payer’s software, it would have to complete a Business Associate Agreement with a healthcare clearinghouse that was able to format the claim.
It is vital to add at this point that an employee of a Covered HIPAA Entity is neither a Covered Entity under HIPAA nor a Business Associate. The American Hospitals Association says: “Any person(s) whose conduct, in the performance of work for a Covered Entity, is under the direct control of such entity, whether they are paid by the Covered Entity or not”. This definition includes not only staff, but also agency nurses, temporary workers and volunteer workers.