Today, we are going to talk about the entities covered under HIPAA.
Covered entities under HIPAA are typically covered medical providers, health plans, and health care clearinghouses.
The covered entities are responsible for protecting patient information following the standards set forth by the U.S. Department of Health and Human Services (HHS). HIPAA also gives patients more control over their health information and specifies severe penalties for HIPAA violations.
The following article will outline what types of entities should be considered covered under HIPAA, whether or not these individuals qualify for an exemption from being a covered entity, and how to identify your specific type of facility based on its size and location.
What are the covered entities of HIPAA Law?
The covered entities of HIPAA are distinguished.
Health plans (as defined under HIPAA) must comply with these rules, including any health plan that may be required under the Employee Retirement Income Security Act (ERISA) and is subject to HIPAA requirements. Therefore, if a retirement plan is not subject to ERISA but has access to PHI, it is still covered by these regulations.
Health Care Clearinghouses
Health care clearinghouses (such as a diabetic care center that serves many individuals) will only be subject to the Security Rules if they possess or control specific types of PHI: electronically protected health information. The Health Care Clearinghouse definition is also separate and distinct from a covered entity under HIPAA.
HIPAA Covers Health Care Providers
These provide health services and are protected by HIPAA standards.HMOs, PPOs, and health flexible spending accounts are healthcare facilities that provide services to their members.
Other organizations that may not be HIPAA covered entities but that may need to comply with the privacy and security regulations include:
These are organizations or people who perform services for a covered entity, either on-site or off-site.
Business associates’ subcontractors
Organizations or people who perform services for a business associate.
Business associates’ customers
Organizations or people who receive confidential health information from a business associate.
Covered entity’s parent organizations
They are people who have covered and non-covered elements such as subsidiaries, affiliates, parents, etc.
Covered entity’s subsidiaries organizations
They are a part of a covered entity but not the parent.
Covered entity’s employees
Organizations or people who work for the covered entity
So, What Types of Patients Qualify as a Covered Entity?
Here’s where things start to get complicated
Patient vs. Participant
In general, if a patient is seen by a health care provider and has a payment due for the services received or is a member of a group that pays the provider, they are a participant in the entity’s health care plan and may be considered a covered entity. If the patient owes no money to the entity, that entity is not a “covered entity.”
Patient vs. Client
The patient and the health plan have the same relationship but not the same responsibilities. A health plan is not required to disclose a client’s records unless they request it, unless they are a participant in the plan’s benefits package or if their treatment has already been paid. The patient must be included in any release of information as a covered entity.
Legal vs. Practical
In many health care facilities, the definition of a covered entity is somewhat complicated. Many patients who receive non-emergency services from a facility may represent various covered entities. It is not uncommon for an ambulatory surgery center to see a patient representing the surgical center, the physician, and an out-of-network third-party payer. The patient’s privacy rights are only as strong as the weakest of these providers.
It is a fairly straightforward process for minimal facilities (typically 1-20 patients per facility). The entity can choose to be a covered entity, participate in a plan, or be a business associate (a type of HIPAA-covered entity). If the entity makes decisions based on patient privacy and security, it should always consider itself a covered entity.
HIPAA covers many types of organizations, including group health plans, health care clearinghouses, and healthcare providers who conduct certain standard transactions electronically. All these covered entities are regulated by HIPAA and must make reasonable efforts to safeguard patient health information that’s electronically transmitted.
Patients have a right under HIPAA to access their health records in an electronic copy or to see the medical provider in person. The medical provider is obligated under HIPAA to allow them this access and cannot deny them that right if HIPAA covers them.
If a patient has been denied access from their medical provider, they may file a complaint with the U.S. Department of Health and Human Services (HHS).
When moving to a covered entity website, you must understand what PHI is and what organization you are affiliated with. If you’re interested in HIPAA laws, I encourage you to read the HIPAA law. For more information, you can visit our blog now!