HIPAA Covered Entities: Who Needs to Comply?

If you own a healthcare business or provide a service to one, you probably manage patient data. While easy access to patient data is crucial to optimize care services, it should not end up in the wrong hands or accidentally leak. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) holds care providers and their service partners accountable by enforcing several regulations. 

As more healthcare organizations or covered entities are facing expensive lawsuits due to data breaches, they can no longer afford to ignore patient privacy rights. 

If you work in the healthcare industry, chances are you qualify as a HIPAA-covered entity – which means you must comply with its regulations. In this article, we define HIPAA covered entities, analyze their rights, and the rules they should comply with. 

What is a HIPAA covered entity?

A covered entity is defined as anyone or any group that has to comply with the rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This includes:

1. Health plans
2. Healthcare clearinghouses
3. Healthcare providers who send health information electronically as part of transactions that meet HHS standards
4. Health care services

Covered entities can use and disclose ePHI for payment, treatment, and operations. They must comply with the HIPAA privacy rule to protect and secure the privacy of patient health information. Any individual or organization required to comply with the administrative rules (security, privacy, and breach notification) is called a HIPAA-covered entity. 

Let’s understand them in detail:

1. Health plans

Includes individual or group plans that provide or cover medical care. HIPAA protects different types of health plans, such as:

• Employer-sponsored group health plans
• Individual health insurance plans
• Government health programs like Medicare and Medicaid
• HMOs (Health Maintenance Organizations)
• Health insurance companies
• Specific government programs

Exceptions to health plans include: 

• Group health plans with less than 50 individuals whose employer is not a covered entity. 
• Government-funded programs that do not cover or provide health care, like food stamps. 
• Government-funded programs that directly provide health care, like community health centers, or collect funds for healthcare provision. 
• Insurance entities that provide only worker compensation, automobile insurance, or casualty insurance. 

2. Health care providers

Services of every size that provide health care and transmit health information electronically connected to certain transactions qualify as covered entities. A healthcare provider is any organization or professional that handles protected health information (PHI). This covers a wide range of entities, including:

• Doctors
• Clinics
• Nursing homes
• Dentists
• Psychologists
• Home health agencies
• Chiropractors
• Pharmacies
• Providers that send health information electronically

Additional examples of healthcare providers are:

• Therapists and other mental health professionals
• Laboratories
• Hospitals
• Renal dialysis facilities
• Blood centers
• Ambulatory surgical centers

Examples of transactions for this are:

• Claims
• Benefit eligibility inquiries
• Referral authorization requests
• Transactions that fall under HIPAA transaction rule

3. Healthcare clearinghouses

A healthcare clearinghouse is any entity that processes non-standard information standard one or vice versa. It checks and approves healthcare claims from providers and then sends them on to health plans for payment. Some examples of clearinghouses are:

• Billing services
• Companies that reprice claims
• Systems that manage health information for communities
• Networks or switches that add extra value

Also check: A Brief Comparison Between PII vs. PHI vs. PCI

4. Health care services

Any care, service, or medical supply that affects an individual’s health or body function qualifies as health care. You can download this free tool and checklist to know if you are a covered entity. 

Now that you know what a HIPAA-covered entity is, do you see yourself in one of these categories? If so, you’re probably thinking about getting HIPAA compliant.

However, the reality is that getting HIPAA compliant with a consultant or through manual way is time-consuming and will definitely put a dent in your pocket. Moreover, 60% of health tech businesses struggle with defining the scope for HIPAA compliance, which is a worrisome metric if you want to get the certification as soon as possible to continue doing business.

This is where compliance automation-powered tools like Sprinto come in handy.

Note: We have free resource for you to check out if you want to check how you align as a covered entity. Download the checklist below.

HIPAA-covered entity rights

The privacy rule extensively covers patients’ rights over their health data and how HIPAA-covered entities should use it. At the same time, it seeks to balance out its usage in a way that enables covered entities to maximize care services while staying HIPAA compliant. 

Here are the rights you have as a covered entity: 

Signed patient consent requirement: You do not need authorization in the form of signed consent from patients if you share health data for treatment. 

Incidental disclosure elimination: There is no need to eliminate all incidental disclosures as it is impractical. Incidental disclosures don’t violate privacy rules as long as you have policies to sufficiently protect and limit us and disclosure of PHI. 

Communication with the patient’s family

If you have the patient’s authorization, you can: 

• Share patient information with their friends, family, and other concerned individuals. 
• Notify family members or any person responsible for the patient care about their location and health condition. 
• Share information when the patient is incapacitated if that is in the patient’s best interest. 

Patient visit and contact

As long as the patient does not object, care centers can share a phone number, room number, and health condition with family or friends, list it in the hospital directory, share it with those who call and ask for it, and share it with clergy affiliated to a religious institution. 

Child abuse reporting

Covered entities can report child abuse or neglect cases to appropriate authorities. Generally, HIPAA allows information to be shared without needing authorization from a legal guardian when it’s about treating the child, dealing with abuse or neglect, or addressing public health and safety concerns. However, HIPAA also controls how information is shared with the child’s legal guardian, especially if sharing it might risk the child’s safety.

Communication via electronic means

The privacy rule allows you to communicate with patients or providers via e-mail, phone, or other electronic means using appropriate means to protect data. 

Also, Find out what HIPAA law talks about

HIPAA rules that Covered Entities must follow

Covered entities are subject to regulations that dictate how they handle PHI. Compliance with these rules is a must if you want to ensure patient confidentiality and avoid penalties for non-compliance. Here are the rules on a case-by-case basis:

• Covered entities must ensure that their business associates follow HIPAA rules when handling transactions on their behalf
• This means ensuring business associates adhere to all the HIPAA requirements and ensuring their subcontractors do too
• While the nitty-gritty HIPAA rules directly apply to covered entities, those entities must ensure their business associates also play by the rules
• Business associates and their agents or subcontractors must adhere to HIPAA standards for electronic transactions, code sets, unique identifiers, and operating rules when handling transactions for covered entities.
• If the HHS finds that a covered entity’s business associate has violated HIPAA regulations, the covered entity is held responsible
• Engaging a business associate does not exempt the covered entity from compliance obligations
• Actions or inactions of business associates are imputed to the covered entity, potentially leading to noncompliance findings against the covered entity by HHS

HIPAA rules for Business Associates

A business associate is an entity like an organization or an individual who provides services on behalf of a covered entity.

• Security measures like administrative, physical, and technical safeguards must be in place to protect PHI, just like for covered entities
• Breaches must be reported within 60 days, with details provided to the covered entity. Your Business Associate Agreement might require faster reporting
• Privacy provisions include limiting PHI use, cooperating with HHS investigations, not retaliating against complaints, and managing subcontractor agreements

For more information, also read, Who Does HIPAA Apply To [Top 5 Entities]

What are some examples of covered entities?

Some examples of HIPAA-covered entities are individuals, businesses, agencies, or organizations.  However, determining who exactly falls under this definition can sometimes be tricky due to exceptions and gray areas.

To give you an idea, here’s what you need to know:

Health plans	Health care providers	Health care clearinghouses	Health care: Care, service, or supply related to:
– Health – Dental – Vision – Prescription drug insurers -Long-Term Care  -Insurers -Health insurance companies -Health maintenance organizations (HMO) – Health plans sponsored by employee – Government-funded healthcare programs such as Medicare, Medicaid, military or veteran health program  – Government and church-sponsored health plans – Multiemployer health plans	– Doctors- Clinics- Psychologists- Dentists- Chiropractors- Nursing Homes- Pharmacies	– Billing service providers- Repricing organizations- Community health management information system	– Prevention – Diagnostics – Therapy – Rehabilitation – Maintenance or palliative care  – Counseling service assessment  – Procedure concerning the physical, mental, or functional status

How to automate HIPAA compliance?

Running a healthcare business can be hectic. You never know where a security crack sits on your infrastructure, waiting for someone to take the wrong action and unleash the lawsuit monster. 

Fortunately, there is a simple yet efficient solution for you. The Sprinto solution is a HIPAA compliance multi-tasker that has one job – to make your life easier. 

Why choose Sprinto?

With Sprinto, you monitor your environment nonstop for non-compliance. It alerts you when someone takes a risky action or when a breach is waiting to pounce on you. Also, it trains your employees to turn them into HIPAA soldiers – so that everyone contributes to your security and is not a liability. 

With Sprinto, you’ll get access to the extensive library of ready-to-use security and privacy HIPAA policy templates. Of course, you can easily tailor these templates to your company’s needs or upload your policies for quick review and approval. 

For example, Neurosynaptic, an Indian company, creates telemedicine solutions that allow doctors and patients to consult in real time. To ensure compliance with HIPAA regulations, they used technology for monitoring. After carefully considering different compliance automation options, they decided on Sprinto. Read the full case study here.

With the help of experts, Neurosynaptic completed the HIPAA implementation in just 5 sessions and started monitoring compliance for audits. 

With Sprinto, employees can conveniently agree to HIPAA policies and procedures directly within the dashboard. Keep track of policy versions and changes with Sprinto’s single-view dashboard. 

More importantly, we can help you breeze through your HIPAA journey. Speak to our experts today. 

FAQs

Who is not a HIPAA-covered entity?

Individuals, businesses, or service providers who do not transmit patient health data electronically or do not qualify as healthcare providers, healthcare plans, or healthcare clearinghouses are not HIPAA-covered entities. 

What are the exemptions from HIPAA?

The HIPAA privacy rule states that certain exemptions apply to covered entities. These are enforced when there is unintentional use or access of PHI, accidental disclosure to an authorized individual, and disclosure of PHI in good faith. 

Does HIPAA allow covered entities?

Yes, HIPAA allows covered entities to use and disclose PHI without an individual’s authorization, but it’s not mandatory for them to do so.

Is HIPAA only in the US?

HIPAA primarily applies within the United States but can extend internationally when a Covered Entity or Business Associate shares PHI with a third party located overseas. In such cases, the overseas third party is considered a Business Associate and must adhere to relevant HIPAA regulations.