Given how well-known the Health Insurance Portability and Accountability Act is, it may be surprising to learn how narrowly defined a “Covered Entity” is. Possession of health data does not automatically make an organization subject to HIPAA law, leading many to ask: what is a covered entity under HIPAA? Which organizations are required to follow the HIPAA Rules?
According to the Department for Health and Human Services’ website, a HIPAA Covered Entity is any organization, individual, or agency that is one of the following:
- Healthcare providers such as doctors, clinics, dentists, nursing homes, pharmacies etc. which transmit protected health information (PHI) in an electronic format during a DHSS-defined standard transaction,
- Health Plans including government health plans (e.g. Medicare), company health plans, health insurance companies,
- Healthcare clearinghouses (which are entities that process nonstandard health information into another standard, often involving medical claims).
Many parts of these definitions will be surprising to readers. For example, healthcare providers are only considered to be Covered Entities if they transmit data for a purpose for which the DHSS has adopted a standard. These transactions are all financial or administrative in nature (such as coordinating benefits or paying for premiums). Additionally, the entity must transmit PHI electronically. However, once some PHI is transmitted electronically, a healthcare provider is considered to be a Covered Entity, and all of their transactions must be HIPAA-compliant.
Not all organizations that meet the definition of a Covered Entity will be considered to be a “full” CE. If a nurse, for example, works part-time in a school and part-time in a clinic, only their activities in the clinic will be covered by HIPAA. The school-related services will be covered by FERPA, which takes precedence over HIPAA.
Partial Covered Entities also exist. Employer-provided health plans are often partial entities, as the employer and the health plan are two separate legal bodies. The employer cannot use data from the health plan to prevent an employee getting a promotion, for example.
Importantly, manufacturers of wearable healthcare technologies are not considered CEs. The data collected is for the consumer’s own use, and therefore not used in a HIPAA-covered transaction. If this data were handed over to a healthcare provider, it would then be considered PHI.
Any organization that is deemed a HIPAA-Covered Entity, be it full, partial, or hybrid, must ensure that all PHI is adequately safeguarded and cannot be accessed by unauthorized individuals. Training should be provided to all those in an organization who may come into contact with PHI, including administrative support staff, volunteers and students.