Keeping PHI Secure: Quick Guide on HIPAA Covered Entities

If you own a healthcare business or provide a service to one, you probably handle and manage patient data. While easy access to patient data is crucial to optimize care services, it is equally important to ensure that it does not end up in the wrong hands or accidentally leak. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) holds care providers and their service producers accountable by enforcing a number of regulations. 

As more healthcare organizations or covered entities are facing expensive lawsuits due to data breaches, they can no longer afford to ignore patient privacy rights. 

If you work in the healthcare industry, chances are you qualify as a HIPAA covered entity – which means you must comply with its regulations. In this article, we define HIPAA covered entities, analyze their rights, and the rules they should comply with. 

What is a HIPAA covered entity?

HIPAA covered entities are health plans, clearinghouses, and healthcare providers who transmit protected health information in electronic format (ePHI). These entities transmit data as regulated by HIPAA. 

Covered entities can use and disclose ePHI for payment, treatment, and operations. They must comply with the HIPAA privacy rule to protect and secure the privacy of patient health information. Any individual or organization required to comply with the administrative rules (security, privacy, and breach notification) are referred to as HIPAA covered entity. 

Let’s understand them in detail. 

Health plans

Includes individual or group plans that provide or cover medical care. 

Exceptions to health plans include: 

• Group health plans with less than 50 individuals whose employer is not a covered entity. 
• Government-funded programs that do not cover or provide health care, like food stamps. 
• Government-funded programs that directly provide health care, like community health centers, or collect funds for the provision of healthcare. 
• Insurance entities that provide only worker compensation, automobile insurance, or casualty insurance. 

Health care providers

Services of every size that provide health care and transmit health information electronically connected to certain transactions qualify as covered entities. Examples of such transactions are:

• Claims
• Benefit eligibility inquiries
• Referral authorization requests
• Transactions that fall under HIPAA transaction rule

However, using electronic means such as e-mail does not automatically qualify the healthcare provider as a covered entity. This is because the transmission must be connected to a standard transaction. 

The HIPAA privacy rule covers both types of healthcare providers – those who transact using billing services or third-party service providers. 

Healthcare clearinghouses

A healthcare clearinghouse is any entity that processes non-standard information standard one or vice versa. 

In most cases, these entities receive Personally Identifiable Information (PII) when they provide a processing service to health plans or healthcare providers. The healthcare clearinghouse qualifies as a Business Associate (BA) in such cases. This also makes them liable to specific provisions of the privacy rule on their use and disclosure of PII. 

Health care

Any care, service, or medical supply that affects an individual’s health or body function qualifies as health care. 

You can download this free tool and checklist to know if you are a covered entity. 

HIPAA covered entity rights

The privacy rule extensively covers patient rights over their health data and how HIPAA covered entities should use it. At the same time, it seeks to balance out its usage in a way that enables covered entities to maximize care services while staying HIPAA compliant. Here are the rights you have as a CE: 

Signed patient consent requirement: You do not need authorization in the form of signed consent from patients if you share health data for treatment. 

Incidental disclosure elimination: There is no need to eliminate all incidental disclosures as it is impractical. Incidental disclosures don’t violate privacy rules as long as you have policies to sufficiently protect and limit us and disclosure of PHI. 

Communication with the patient’s family: If you have the patient’s authorization, you can: 

• Share patient information with their friends, family, and other concerned individuals. 
• Notify family members or any person responsible for the patient care about their location and health condition. 
• Share information when the patient is incapacitated if that is in the best interest of the patient. 

Patient visit and contact: As long as the patient does not object, care centers can share phone number, room number, health condition with family or friends, list it in the hospital directory, share it with those who call and ask for it, and share it with clergy affiliated to a religious institution. 

Child abuse reporting: Covered entities can report child abuse or neglect cases to appropriate authorities. 

Communication via electronic means: The privacy rule allows you to communicate with patients or providers via e-mail, phone, or other electronic means using appropriate means to protect data. 

Examples of HIPAA covered entity

Covered entities can be individuals, businesses, agencies, or organizations. 

Health plans: 

• Health
• Dental
• Vision
• Prescription drug insurers
• Long-Term Care Insurers
• Health insurance companies
• Health maintenance organizations (HMO)
• Health plans sponsored by employee
• Government-funded healthcare programs such as Medicare, Medicaid, military or veteran health program 
• Government and church-sponsored health plans
• Multiemployer health plans

Health care providers: 

• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing Homes
• Pharmacies

Health care clearinghouses:

• Billing service providers
• Repricing organizations
• Community health management information system

Additionally, researchers or physicians who conduct clinical studies or experiments that require them to transmit ePHI connected with transactions on which an HHS standard exists. 

Health care: Care, service, or supply related to:

• Prevention
• Diagnostics
• Therapy
• Rehabilitation 
• Maintenance or palliative care 
• Counseling service assessment 
• Procedure concerning the physical, mental, or functional status

Conclusion

Running a healthcare business can be hectic. You never know where a security crack is sitting on your infrastructure, waiting for someone to take the wrong action and unleash the lawsuit monster. 

Fortunately, there is a simple yet efficient solution for you. The Sprinto solution is a HIPAA compliance multi-tasker that has one job – to make your life easier. 

With Sprinto, you monitor your environment nonstop for non-compliance. It alerts you when someone takes a risky action or when a breach is waiting to pounce on you. Additionally, it trains your employees to turn them into HIPAA soldiers – so that everyone contributes to your security and is not a liability. 

We can help you breeze through your HIPAA journey. Speak to our experts today. 

FAQs

Who is not a HIPAA covered entity?

Individuals, businesses, or service providers who do not transmit patient health data electronically or do not qualify as healthcare providers, health care plans, or healthcare clearinghouse is not HIPAA-covered entity. 

What are the exemptions from HIPAA?

The HIPAA privacy rule states that certain exemptions apply to covered entities. These are enforced when there is unintentional use or access of PHI, accidental disclosure to an authorized individual, and when disclosure of PHI in good faith.