HIPAA defines certain entities as covered entities and imposes specific responsibilities to ensure compliance. If you are involved in the healthcare industry or handle patient health information, you might fall under the category of a covered entity. To determine if you're a covered entity, you must understand the HIPAA criteria for covered entities.
What are covered entities?
HIPAA categorizes covered entities into three main groups: healthcare providers, health plans, and healthcare clearinghouses. Understanding the scope of each category can help determine your covered entity status.
Healthcare providers include doctors, nurses, dentists, psychologists, hospitals, clinics, nursing homes, and pharmacies. If you provide healthcare services to patients, you fall under the classification of a healthcare provider.
Healthcare providers diagnose and treat patients, maintain medical records, and handle sensitive health information. As a healthcare provider, you have access to protected health information (PHI), which includes individually identifiable health information.
Health plans are entities that provide or pay for medical care. This includes health insurance companies, employer-sponsored health plans, government programs, and health maintenance organizations (HMOs). If you administer or offer health insurance coverage, you are considered a health plan and, therefore, a covered entity.
Health plans handle significant volumes of PHI as they process claims, maintain enrollment information, and handle billing and payment processes. They are responsible for ensuring the privacy and security of the PHI they handle, both within their own organizations and when sharing information with healthcare providers.
Healthcare clearinghouses are entities that process nonstandard health information into standardized formats. They often facilitate the transmission of health information between different parties. Examples of healthcare clearinghouses include organizations that convert paper-based medical records into electronic formats and those involved in claims processing. If you engage in these activities, you may be classified as a healthcare clearinghouse.
Determining your covered entity status
1. Assessing your services
If you offer medical care, diagnosis, treatment, or other healthcare-related services, you fall under the category of a healthcare provider.
Consider the scope of your services and whether they involve direct patient care. Evaluate the nature of your interactions with patients and the level of access you have to their health information. If you are engaged in providing medical services, you must carefully review HIPAA regulations to ensure compliance.
2. Handling protected health information (PHI)
If your organization or role involves creating, maintaining, transmitting, or receiving PHI, you fall under HIPAA's purview. Evaluate the types of data you handle and the level of sensitivity involved. If you routinely handle PHI as part of your operations, you are a covered entity subject to HIPAA regulations.
3. Involvement in health insurance coverage
If you are an insurance company providing health insurance coverage, or an employer offering a group health plan, you qualify as a health plan and, therefore, are a covered entity.
Evaluate the nature of your insurance or coverage activities, the types of plans you administer, and the extent of your involvement in managing and processing health information.
4. Clearinghouse functions
If your organization facilitates the transmission of health information, converts paper-based medical records into electronic formats, or performs data transformations for the purpose of interoperability, you fall under the healthcare clearinghouse category.
Evaluate your organization's role in processing health information, the types of services you provide, and the extent to which you interact with other covered entities.
You can determine your covered entity status by assessing the nature of your services, handling of PHI, involvement in health insurance coverage, and engagement in clearinghouse functions.
Related: To be or not to be HIPAA compliant