HIPAA covered entities are required to adhere to all aspects of HIPAA laws and its provisions, failing to do so could result in a HIPAA penalty being applied or, even worse, the personal health information of their clients being used for fraudulent purposes.
Covered Entity under HIPAA Laws
‘Covered entities’ refers to a range of different bodies. The group that most people will be familiar with is Health Plans. This group incorporates health insurance companies, HMOs, company health plans, and specific government programs that provide health care, including Medicare and Medicaid. Some of the more widely-recognized health plans include United HealthCare, Kaiser Foundation, Anthem, Human and CVS Health. None of these groups are immune from HIPAA breaches.
Any health care provider that uses electronic or digital technology to conduct business is also governed by HIPAA legislation. This would include any doctor’s surgery, clinic, hospital, psychologists, chiropractors, nursing homes, pharmacies, and dentists that store PHI on a server or cloud server, bill electronically, or communicate with you via email.
Health care clearinghouses are considered HIPAA entities. These are groups that process the nonstandard health information they are sent from another HIPAA-covered entity into standard health information. The Department of Health & Human Services defines a health care clearinghouse as a “public or private entity, including a billing service, repricing company, or community health information system, which processes non-standard data or transactions received from one entity into standard transactions or data elements, or vice versa.”
Finally, business associates of covered entities must adhere to all relevant aspects of HIPAA legislation. Business associates refer to a person or entity that completes tasks or activities that involve the use or sharing of protected health information on behalf of or provides services for, a covered entity. This could include a collections agency, billing or coding company, IT consultant, practice management services, medical transcriptionist, answering service, e-prescribing services, law office or accounting firm.
For business associates to be HIPAA compliant they must have a business associate agreement signed with the HIPAA covered entity and subcontractors they are working with. This will ensure that business associates, and subcontractors, follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Several groups are exempt from adhering to the HIPAA Privacy and Security Rules including life insurers, employers, workers’ compensation carriers, the majority of schools and school districts, certain state agencies such as child protective service agencies, law enforcement agencies, and some specific municipal offices.
Entities governed by HIPAA are charged with ensuring that they establish a set of safeguards that will secure private health information improperly in all instances. They are expected to limit, as much as possible, the uses and disclosures to the minimum necessary to achieve their task. The implementation of training programs to educate employees about avoiding a HIPAA breach is vital. Business associates are expected to follow suit.