A HIPAA covered entity is an individual, institution, or organization that fulfills the applicability criteria of §1172a in the Health Insurance Portability and Accountability Act 1996 (HIPAA). This generally means health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Secretary of Health and Human Services (HHS) has adopted standards. However, there are exceptions.
To establish whether an individual, institution, or organization qualifies as a HIPAA covered entity, it is often necessary to review the definitions section of the HIPAA General Provisions (§160.103). This is because there are many different types of individuals, institutions, or organizations that might qualify as a health plan, health care clearinghouse, or healthcare provider. There are also many exceptions that might apply.
With regards to healthcare providers, it is also the case providers only qualify as HIPAA covered entities if they conduct electronic transactions covered by Part 162 of the HIPAA Administrative Simplification Regulations. If a healthcare provider does not conduct covered transactions (i.e., bills patients directly) or does not conduct the transactions electronically (i.e., via a PSTN system), the healthcare provider does not qualify as a HIPAA covered entity.
However, if Healthcare Provider A – who does not qualify as a HIPAA covered entity – provides a service for or on behalf of Healthcare Provider B – who does qualify as a HIPAA covered entity – Healthcare Provider A becomes a business associate of Healthcare Provider B. As a business associate to a covered entity, Healthcare Provider A will have to comply with all applicable standards of the HIPAA Privacy, Security, and Breach Notification Rules.
Examples of Covered Entities under HIPAA
Health Plans
The definition of health plans in §160.103 includes group health plans as defined in section 3(1) of the Employee Retirement Income and Security Act (ERISA), health insurance issuers, health maintenance organizations, and most federally funded health programs. Federally funded health programs include (but are not limited to) Medicare, Medicaid, the Veterans Health Care Program, and the Uniformed Services Health Care Program.
Exceptions include employers self-insured and self-administered health plans with fewer than fifty members – provided any medical Flexible Spending Accounts or Health Reimbursement Accounts also provided by the employer are self-administered. More commonly, health insurance issuers are exempted from HIPAA compliance if they only provide excepted benefits (i.e., workers’ compensation) or health benefits secondary to the primary coverage.
This means, for example, if a driver is injured in an auto accident, and the auto insurance issuer covers the driver’s healthcare costs as a secondary benefit of the auto insurance, the insurance issuer is not a HIPAA covered entity. Because the insurance issuer is not a HIPAA covered entity, it is not required to comply with the HIPAA Privacy, Security, and Breach Notification Rules with respect to the injured driver’s Protected Health Information (although other laws may apply).
Health Care Clearinghouses
At the time HIPAA was passed, there was no standardization of healthcare transaction codes. Health care clearinghouses acted as middlemen between healthcare providers and health plans, “translating” transaction codes used by one party into the transaction codes used by another party. Because a single healthcare provider might deal with dozens of health plans, health care clearinghouses were vital to the operation of the healthcare system.
As transaction codes were standardized, the need for clearinghouses’ translation services declined. However, as more transaction codes were added to Part 162 – and states published new regulations relating to co-pays and deductibles – their expertise, experience, and existing infrastructures became invaluable for health plans and healthcare providers without the resources to manage eligibility, enrollment, authorization, claims, and billing transactions.
To put the role of health care clearinghouses into context, one of the four medical data code sets in Part 162 – ICD-10 – has more than 68,000 different transaction codes for different diagnoses and treatments. Once you multiple the transaction codes by the number of National Drug Codes and HCPCS Codes for medical services and medical supplies, it is not difficult to acknowledge the important role health care clearinghouses still play in the healthcare system.
Healthcare Providers
Healthcare providers constitute a diverse category of HIPAA covered entities, encompassing a broad spectrum of individuals and organizations dedicated to delivering medical care. This category of HIPAA covered entities includes solo practitioners, physicians, specialists, therapists, and dentists, hospitals, outpatient clinics, ambulatory surgery centers, pharmacies, behavioral health facilities, and nursing homes, among others.
These entities create, receive, store, and transmit extensive volumes of Protected Health Information as an integral part of patient diagnosis, treatment, and medical research. HIPAA mandates that healthcare providers uphold stringent privacy and security measures to protect Protected Health Information. They must also allow patients access to their medical records, and to request corrections or amendments, and request accountings of disclosures.
The major difference for this category of HIPAA covered entities is that they are mostly public facing. Healthcare providers and members of the workforce often have to work in difficult environments. This can increase the risk of unauthorized disclosures and privacy violations due to compliance shortcuts being taken in order “to get the job done” – notwithstanding that HIPAA is not the only regulation healthcare providers and their workforces have to comply with.
Educational Institutions
Federally funded educational institutions generally do not qualify as HIPAA covered entities because students’ medical records are classified as educational records under the Family Educational Rights and Privacy Act (FERPA). As HIPAA excludes FERPA-covered records from the definition of Protected Health Information, federally funded schools, colleges, and universities are not required to comply with HIPAA.
If a school, college, or university does not receive federal funds, it is not an educational institution as defined by FERPA. In such cases, individually identifiable health information collected, received, stored, or transmitted by the educational institution qualifies as Protected Health Information. This means that the educational institution qualifies as a HIPAA covered entity and must comply with the Privacy, Security, and Breach Notification Rules.
The situation regarding teaching hospitals and medical schools can depend on the point at which students first interact with patients. If patient interaction begins in Year 1, the institution qualifies as a HIPAA covered entity for its teaching activities and students must receive HIPAA training within “a reasonable period” of commencing their medical education (§164.530). If patient interaction starts later, the institution might qualify as a partial or hybrid entity.
Partial, Hybrid, and Affiliated HIPAA Covered Entities Explained
Partial covered entities are organizations that must comply only with specific Parts of HIPAA. The best example of this is when prescription drug card sponsors were permitted by the Medicare Modernization Act to collect Protected Health Information. As prescription drug card sponsors did not conduct electronic transactions, they were required to comply with the Privacy Rule, but not the Security Rule. The Breach Notification Rule did not exist at the time.
Hybrid entities are organizations that provide both covered and non-covered activities. The best example of this is when a school provides healthcare services to both students and members of the public. The healthcare services provided to students are exempt from HIPAA, while the healthcare services provided to members of the public qualify the school as a HIPAA covered entity. In such circumstances, data sets for the two services must be isolated from each other.
Affiliated Entities are legally separate covered entities under the same ownership or control. Being affiliated enables units within the group disclose Protected Health Information to each other without the need for multiple Business Associate Agreements. This situation might apply to teaching hospitals if the educational element of the teaching hospital is a legally separate entity to the healthcare element of the teaching hospital.
Why it is Important to Understand What a HIPAA Covered Entity Is
Although the definition of a HIPAA covered entity has not changed since the passage of HIPAA in 1996, the way in which healthcare in the U.S. is delivered and paid for has changed. This means that, whereas there were few exceptions to the definition of a covered entity in 1996, there are many more now. In addition, some individuals, institutions, or organizations that might not have fulfilled the applicability criteria at the time, now find they may have to comply with HIPAA.
There is also a wider range of business models used in the health insurance and healthcare industries. Because of this, it is not always a “Yes” or “No” answer to whether an individual, institution, or organization qualifies as a HIPAA covered entity. For example, when an individual, institution, or organization has more than one function, it may operate as a partial entity or a hybrid entity depending on the nature of the functions and how the functions interact.
Being a HIPAA covered entity means that you have to comply with the applicable standards of the Privacy, Security, and Breach Notification Rules. You may also have to be familiar with Part 162 of the Administrative Simplification Regulations even if claims and billing operations are contracted out. If you are not certain of your obligations as a HIPAA covered entity, it is advisable to seek professional compliance advice.
