HIPAA defines certain entities as covered entities and imposes specific responsibilities to ensure compliance. If you are involved in the healthcare industry or handle patient health information, you might fall under the category of a covered entity. To determine if you’re a covered entity under HIPAA, consider whether your organization is a healthcare provider, health plan, or healthcare clearinghouse that transmits any health information electronically in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards, like billing or insurance claims.
What are covered entities?
HIPAA categorizes covered entities into three main groups: healthcare providers, health plans, and healthcare clearinghouses. Understanding the scope of each category can help determine your covered entity status.
Healthcare providers
Healthcare providers include doctors, nurses, dentists, psychologists, hospitals, clinics, nursing homes, and pharmacies. If you provide healthcare services to patients, you fall under the classification of a healthcare provider.
Healthcare providers diagnose and treat patients, maintain medical records, and handle sensitive health information. As a healthcare provider, you have access to protected health information (PHI), which includes individually identifiable health information.
Health plans
Health plans are entities that provide or pay for medical care. This includes health insurance companies, employer-sponsored health plans, government programs, and health maintenance organizations (HMOs). If you administer or offer health insurance coverage, you are considered a health plan and, therefore, a covered entity.
Health plans handle significant volumes of PHI as they process claims, maintain enrollment information, and handle billing and payment processes. They are responsible for ensuring the privacy and security of the PHI they handle, both within their own organizations and when sharing information with healthcare providers.
Healthcare clearinghouses
Healthcare clearinghouses are entities that process nonstandard health information into standardized formats. They often facilitate the transmission of health information between different parties. Examples of healthcare clearinghouses include organizations that convert paper-based medical records into electronic formats and those involved in claims processing. If you engage in these activities, you may be classified as a healthcare clearinghouse.
Related: HIPAA Compliant Email: The Definitive Guide
Determining your covered entity status
1. Assessing your services
If you offer medical care, diagnosis, treatment, or other healthcare-related services, you fall under the category of a healthcare provider.
Consider the scope of your services and whether they involve direct patient care. Evaluate the nature of your interactions with patients and the level of access you have to their health information. If you are engaged in providing medical services, you must carefully review HIPAA regulations to ensure compliance.
2. Handling protected health information (PHI)
If your organization or role involves creating, maintaining, transmitting, or receiving PHI, you fall under HIPAA's purview. Evaluate the types of data you handle and the level of sensitivity involved. If you routinely handle PHI as part of your operations, you are a covered entity subject to HIPAA regulations.
3. Involvement in health insurance coverage
If your organization facilitates the transmission of health information, converts paper-based medical records into electronic formats, or performs data transformations for interoperability, you fall under the healthcare clearinghouse category.
Evaluate the nature of your insurance or coverage activities, the types of plans you administer, and the extent of your involvement in managing and processing health information.
4. Clearinghouse functions
If your organization facilitates the transmission of health information, converts paper-based medical records into electronic formats, or performs data transformations for the purpose of interoperability, you fall under the healthcare clearinghouse category.
Evaluate your organization's role in processing health information, the types of services you provide, and the extent to which you interact with other covered entities.
You can determine your covered entity status by assessing the nature of your services, handling of PHI, involvement in health insurance coverage, and engagement in clearinghouse functions.
In 2023, a total of 733 breaches occurred. Out of these, healthcare providers contributed to 62.3%, while health plans accounted for 14%. Clearinghouses made up only a minor portion, at just 0.3%. Knowing if you're a covered entity under HIPAA can help you understand your responsibilities and how to maintain compliance.
Related: Navigating HIPAA for covered entities
FAQs
Does HIPAA apply to hybrid organizations with both healthcare and non-healthcare divisions?
Yes, if part of an organization qualifies as a covered entity, that specific division must comply with HIPAA. However, non-healthcare divisions may not be subject to HIPAA rules unless they handle PHI.
Are business associates considered covered entities under HIPAA?
Business associates are not covered entities, but they are still required to follow HIPAA rules for protecting PHI under a business associate agreement (BAA) with a covered entity.
Can a covered entity status change based on business operations?
An organization’s covered entity status could change if it starts or stops handling PHI or providing healthcare-related services that meet HIPAA criteria.