Covered Entities and Business Associates
Are you a covered entity or business associate?
The term “covered entity” under the HIPAA Privacy Rule refers to three specific
groups, including health plans, health care clearinghouses, and health care
providers that transmit health information electronically. Covered entities
under the HIPAA Privacy Rule must comply with the Rule’s requirements for
safeguarding the privacy of protected health information. Below is a more
detailed list of those who fall under the covered entity category under HIPAA
A Health Care Provider
This includes providers such as:
- Nursing Homes
…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
A Health Plan
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
A Clearing House
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
For Covered Entities and Business Associates
The HIPAA Rules apply to covered entities and business associates.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.