Covered entities

What Are Covered Entities?

In the context of regulatory compliance, covered entities are specific individuals, organizations, or agencies that must comply with the regulations of the Health Insurance Portability and Accountability Act (HIPAA). These entities are primarily involved in the healthcare industry and handle sensitive patient information. The three main types of covered entities are health plans, healthcare providers, and healthcare clearinghouses.²⁶ These entities are obligated to protect the privacy and security of Protected Health Information (PHI), which includes any individually identifiable health information held or transmitted by them in any form.²⁵ Their adherence to HIPAA ensures data privacy for millions of individuals.

History and Origin

The concept of covered entities emerged with the passage of the Health Insurance Portability and Accountability Act (HIPAA) in August 1996.²⁴ While initially focused on health insurance portability and combating waste and fraud, HIPAA soon evolved to address the growing need for nationwide standards to protect sensitive health information, especially as healthcare moved toward electronic record-keeping.²², ²³ The Department of Health and Human Services (HHS) subsequently developed the HIPAA Privacy Rule, which became effective for most organizations in April 2003, and the HIPAA Security Rule, effective in April 2005.²¹ These rules specifically defined the types of entities that would be subject to their stringent requirements, thereby establishing the framework for covered entities and their responsibilities in safeguarding patient data.

Key Takeaways

• Covered entities are defined by HIPAA as health plans, healthcare providers, and healthcare clearinghouses.
• They are legally obligated to protect Protected Health Information (PHI) under HIPAA's Privacy and Security Rules.
• Compliance involves implementing safeguards, conducting risk assessments, and adhering to strict rules regarding the use and disclosure of PHI.
• Failure to comply can result in significant financial penalties and corrective action requirements.
• The classification as a covered entity is crucial for determining an organization's responsibilities in healthcare data management and compliance.

Interpreting the Covered Entities

Understanding what constitutes a covered entity is fundamental to navigating healthcare regulatory compliance. The distinction determines which organizations must adhere to the rigorous standards set forth by HIPAA regarding the handling of Protected Health Information (PHI). For instance, a small doctor's office that electronically transmits billing information to a health plan is a healthcare provider, and thus a covered entity, even if they primarily use paper records otherwise.²⁰ Similarly, a health insurance company, regardless of its size, is also considered a covered entity.¹⁹ This broad scope ensures that a significant portion of the healthcare ecosystem responsible for PHI is accountable. Entities must conduct a thorough risk assessment to ensure they meet the specific requirements of the Privacy rule and Security rule.

Hypothetical Example

Consider "Wellness Medical Group," a medium-sized clinic that employs several doctors, nurses, and administrative staff. Wellness Medical Group electronically submits claims to various health insurance companies and exchanges patient health information, such as lab results and prescription orders, with pharmacies and other specialists via electronic health record (EHR) systems.

Because Wellness Medical Group is a healthcare provider that transmits health information electronically in connection with transactions for which HHS has adopted standards (like claims and eligibility inquiries), it meets the definition of a covered entity under HIPAA. Consequently, Wellness Medical Group must:

1. Implement policies and procedures to protect Protected Health Information.
2. Appoint a privacy official.
3. Train its staff on HIPAA regulations.
4. Conduct regular risk assessment to identify vulnerabilities in its electronic systems.
5. Adhere to rules regarding patient rights to access their medical records and request amendments.

Failure to comply could lead to investigations and penalties from the Office for Civil Rights (OCR) if a breach or violation occurs.

Practical Applications

Covered entities operate under a strict framework designed to safeguard sensitive patient data, influencing various aspects of their operations. One key area is the implementation of comprehensive security measures to protect electronic health records (EHRs). This includes deploying encryption, access controls, and auditing systems to prevent unauthorized access or breaches of Protected Health Information.

Furthermore, covered entities must manage relationships with their business associates—third-party service providers who handle PHI on their behalf. This involves establishing stringent business associate agreements that extend HIPAA's privacy and security obligations to these external parties.

¹⁸Real-world scenarios demonstrate the critical importance of these regulations. For instance, in 2018, Anthem Inc., a health insurance company and a covered entity, faced a record-breaking $16 million settlement with the HHS Office for Civil Rights following a massive data breach that exposed the electronic protected health information of nearly 79 million individuals. T¹⁶, ¹⁷his incident underscored the necessity for covered entities to maintain robust cybersecurity practices and highlights the significant enforcement efforts by regulatory bodies. The HHS Office for Civil Rights (OCR) regularly publishes enforcement highlights detailing various compliance reviews and corrective actions taken against covered entities for HIPAA violations.

¹⁴, ¹⁵## Limitations and Criticisms

While the framework for covered entities aims to protect health information, it also presents certain limitations and faces criticisms. One common critique revolves around the scope of HIPAA itself; it primarily applies to defined covered entities and their business associates, meaning organizations or individuals outside these definitions are not directly bound by HIPAA rules, even if they handle health information. T¹³his gap can lead to situations where consumer health data collected by fitness trackers or certain health apps, for example, might not receive the same level of data privacy protection.

Additionally, achieving full compliance can be complex and burdensome, particularly for smaller covered entities. The intricacies of the Security rule and Privacy rule require substantial resources for training, due diligence, and technology implementation. Cases of significant breaches, such as the Anthem incident mentioned previously, reveal that even large, well-resourced covered entities can face challenges in preventing sophisticated cyberattacks. S¹¹, ¹²uch events highlight the continuous need for vigilance and adaptation in cybersecurity measures by all entities handling sensitive data.

Covered entities vs. Business Associate

The distinction between a covered entity and a business associate is critical in HIPAA compliance, though both play a role in protecting Protected Health Information (PHI).

A covered entity is a direct provider of healthcare services, a health plan, or a healthcare clearinghouse. These are the primary actors in the healthcare system that generate, receive, maintain, or transmit PHI electronically in connection with standard transactions.

¹⁰A business associate, conversely, is a person or entity that performs functions or provides services for a covered entity that involve the use or disclosure of PHI. Examples include third-party billing companies, IT service providers that manage electronic health records, or cloud storage providers. W⁹hile a business associate is not a covered entity, they are directly liable for compliance with certain provisions of the HIPAA Rules due to their contractual relationship with a covered entity, known as a Business Associate Agreement (BAA). T⁸his agreement legally obliges the business associate to protect PHI as if they were a covered entity, extending the reach of HIPAA's security rule and privacy rule.

FAQs

What are the three types of covered entities under HIPAA?

The three types of covered entities are health plans (e.g., health insurance companies), healthcare clearinghouses (entities that process nonstandard health information into standard formats), and healthcare providers (e.g., doctors, hospitals, pharmacies) who transmit health information electronically.

⁷### Does HIPAA apply to all organizations handling health information?
No, HIPAA primarily applies to covered entities and their business associates. If an organization does not fit the definition of a covered entity or a business associate, it is generally not directly regulated by HIPAA, even if it handles some form of health-related information.

⁵, ⁶### What kind of information do covered entities protect?
Covered entities are responsible for protecting Protected Health Information (PHI). This includes any individually identifiable health information relating to an individual's past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare. PHI can be in any form: electronic, paper, or oral.

⁴### What happens if a covered entity violates HIPAA?
If a covered entity violates HIPAA, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) can impose civil money penalties, require corrective action plans, and, in severe cases, refer matters for criminal prosecution. Penalties can range from thousands to millions of dollars depending on the nature and severity of the violation.

², ³### What is a "hybrid entity"?
A hybrid entity is a single legal entity that performs both covered and non-covered functions. Such an entity can designate healthcare components that must comply with HIPAA, while other parts of the organization are not subject to the rules.¹