Covered Entities under HIPAA - Do You Know Who They Are?

Description

HIPAA sets national standards to protect the privacy and security of individuals’ protected health information (PHI). At the core of HIPAA’s Administrative Simplification provisions is the concept of covered entities, specific organizations and individuals that must comply with HIPAA’s Privacy, Security, and Breach Notification Rules because of the type of health information they handle and how they use it.

Under HIPAA, covered entities consist of three main categories: health plans, health care clearinghouses, and health care providers. Health plans include health insurance companies, HMOs, and government programs that pay for health care, such as Medicare and Medicaid. Health care clearinghouses are organizations that process or transform health information received from another entity into standardized formats for processing.

Health care providers are individuals or organizations (physicians, clinics, pharmacies, psychologists, dentists, and others) that transmit any health information electronically in connection with certain standard transactions such as claims, eligibility inquiries, or billing. So how then can one person be a covered entity? They are not an entity, they are a person.

Only entities that meet the regulatory definitions outlined in 45 CFR § 160.103 are covered entities. Entities that do not qualify — even if they handle health-related data — are generally not subject to HIPAA’s privacy and security protections.

For example, a flexible spending account (FSA) or a cafeteria plan only becomes a covered entity when it meets the definition of a group health plan under the Employee Retirement Income Security Act (ERISA) and provides medical care. FSAs that are self-administered with fewer than 50 participants do not qualify as group health plans and therefore are not covered entities.

Similarly, an organization acting as a third-party administrator (TPA) for a group health plan is not automatically a covered entity just by virtue of its administrative role. Instead, such TPAs typically fall under HIPAA as business associates — entities that perform functions for or on behalf of a covered entity involving PHI and must enter into Business Associate Agreements.

State, county, and local health departments illustrate another nuance. These public agencies must comply with HIPAA only if they carry out functions that fall within the definitions of covered entities — such as operating as a health plan (e.g., Medicaid) or a health care provider transmitting electronic health transactions. A health department with mixed functions may elect to designate its covered functions as a “hybrid entity” with specific HIPAA obligations applied to the health care component of the organization.

Understanding who is a covered entity is critical because it determines which organizations must uphold individuals’ rights to privacy, data security, and breach notifications, and which must implement policies, training, and safeguards to protect PHI. HIPAA compliance ensures that sensitive health data is handled responsibly and empowers individuals with rights regarding their personal health information.

Areas Covered in the Session

• Definitions of HIPAA Covered Entities and Why They Matter
• Covered Entities vs. Business Associates
• Categories of Covered Entities: Health Plans, Healthcare Providers, and Healthcare Clearing Houses
• Special Cases: FSA, Cafeteria Plans, Third Party Administrators, State Laws
• Privacy and Security Compliance
• How One Health Care Practitioner Can be a Covered Entity

Why should you Attend?

Learn about what and who the covered entities are and how they interact within the healthcare system. Find out how they interact with and impact you as a healthcare practitioner. Answer the question: Can One Person be a Covered Entity?

Who will Benefit?

Healthcare practitioners who interact with covered entities or are a part of a covered entity themselves.