What are Covered Entities?
We are writing about Covered Entities today to highlight some of the less obvious aspects of this very basic HIPAA rule.
If you have a question not answered here, let us know!
There are two groups responsible for HIPAA compliance: Covered Entities and Business Associates. Most Covered Entities have direct contact with patients. Business Associates don’t see patients, but they “create, receive, maintain or transmit” protected health information (PHI). Business Associates are separately responsible for complying with HIPAA – you can learn more here in our June 25, 2019 blog.
Under HIPAA “covered entity” means either a Health Care Provider, Health Plan or Health Care Clearinghouse.
- A Health Care Provider is a person or entity recognized by Federal government under the Social Security Act to provide medical or health services that transmits any health information in electronic form in connection with a HIPAA “Transaction” – the transmission of information to carry out financial or administrative activities related to health care. For example, a Transaction is sending a claim to a Health Plan to request payment for medical services using a standard government approved code, also called a “Standard Transaction”.
- A Health Plan in general is a type of insurance that covers the costs of medical care and includes Group Health Plans established by an employer for the benefit of employees.
- A Health Care Clearinghouse is an entity that processes health information into Standard Transaction format and facilitates electronic exchanges between its customers to carry out their financial or administrative activities.
Some clearly recognized examples of covered entities:
But what about the lab where you get a test, the pharmacy where you pick up a prescription, the home health agency that takes care of your parents, or the EMS first responders you see on the highway? All of these are covered entities and held to the same strict HIPAA standards that should be explained in their Notice of Privacy Practices.
- Health Insurance Company
- Senior or Assisted Living
- Mental Health Therapist
- Child Protective Services
- Physical or Occupational Therapist
Think of yourself as a patient. Are you confident that all of the covered entities you interact with are protecting your information? If you are an organization that is less widely recognized as a covered entity are you meeting all of the required standards? In other words, is your organization at risk?
Common Questions about Covered Entities
Question: If a doctor (or therapist or social worker, etc.) sees patients but only accepts cash and doesn’t communicate electronically about payment, are they a covered entity?
Answer: No. Remember the definition is a “Health Care Provider who transmits any Health Information in electronic form in connection with a transaction…” (italics added). A medical professional who relies only on cash for payment and does not submit claims electronically is not a HIPAA covered entity.
Question: What does a covered entity need to do to comply with HIPAA?
Answer: Have current HIPAA policies and procedures in place – follow the policies and create a culture of compliance with staff. Do a site-specific Risk Analysis in all locations once a year. Train the staff about HIPAA and cybersecurity.
Some key requirements from the HIPAA policies include having a Notice of Privacy Practices and making it available in print and electronically, ensuring patients have access to their medical records if they request it, and evaluating potential breaches of medical information that may occur.
Question: Is a volunteer at a community health organization a covered entity?
Answer: No. But the community health organization is, and under HIPAA, the volunteer is a member of the community health organization’s workforce so they should follow their policies and should receive HIPAA training. Unpaid volunteers, employees, independent contractors, interns, are all ‘workforce’ under HIPAA.
Question: Is an urgent care center a covered entity?
Question: Is a solo practitioner therapist a covered entity?
Answer: A therapist who provides services covered by the Social Security Act (for example, behavioral, physical and occupational therapy) and transmits information to carry out financial or administrative activities related to health care (Transactions) is a covered entity.
Question: What about a massage therapist?
Answer: Commercial massage therapists generally are not health care providers. However, massage therapy conducted by or on behalf of a health care provider like a chiropractor or physical therapist may be subject to HIPAA compliance.
Governments and Nonprofits Can Be Covered Entities
Question: Is a government organization, like a county or state health clinic required to follow HIPAA?
Answer: Yes, there is no exemption for government entities. If they are providing health care, and communicating health information in connection with transactions electronically, they are a covered entity. The VA is a good example, as is a state or county health clinic.
Question: Is a nonprofit agency providing low cost or free health services required to follow HIPAA?
Answer: Yes, there is no exemption for nonprofit organizations.
Question: Is a school nurse required to follow HIPAA?
Answer: No, a school nurse is not a covered entity. But another law applies, the Family Educational Rights and Privacy Act (FERPA) that helps protect privacy of student education records, including medical records.
The HIPAA E-Tool® Understands Covered Entities
The HIPAA E-Tool® understands that different types of covered entities have different needs. We have clients from senior living, health plans, hospitals, doctors, home health, and EMS agencies with forms and advice tailored to each type of organization, large and small – we help sole practitioners, multi-location facilities and health clinics, private, nonprofit and government run.
You won’t find HIPAA expertise like this all in one place anywhere else!