Understanding healthcare providers as defined by HIPAA
Organizations that must comply with HIPAA are called covered entities and include health plans, healthcare providers, or healthcare clearinghouses. We’ve detailed health plans and healthcare clearinghouses in the past. Here, will explore healthcare providers as defined by HIPAA.
A healthcare provider is an individual or an organization that provides healthcare services directly to patients. Covered entities and their business associates must understand all aspects of HIPAA to effectively protect patients during care. Especially when safeguarding patients’ protected health information (PHI) with cybersecurity measures such as HIPAA compliant email.
A HIPAA refresher
HIPAA, the Health Insurance Portability and Accountability Act of 1996, protects the rights and privacy of patients. The act was created to improve health coverage standards and combat fraud and abuse related to PHI. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights regulates and enforces the act, which consists of five sections (or titles).
The most referenced is Title II, which sets policies and procedures for maintaining patient privacy with the following rules:
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect electronic PHI (ePHI)
- Enforcement Rule (2006): sets the guidelines for enforcing HIPAA and penalizing organizations
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
- Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections
HIPAA secures PHI while allowing organizations to share information as needed and properly care for patients. Understanding and implementing these guidelines is fundamental to avoiding breaches and HIPAA violations.
Covered entities: health plans and healthcare clearinghouses
Organizations involved in the healthcare industry and/or the handling of PHI might fall under the category of a covered entity. Healthcare entities and their associates must follow HIPAA rules when handling PHI.
Under HIPAA (and especially the Privacy Rule), this means
- Implementing policies and processes to protect the privacy of PHI
- Maintaining strict administrative, physical, and technical safeguards
- Notifying the proper individuals and institutions in case of a data breach
Failure to comply with these responsibilities can result in penalties, including fines and, in some cases, criminal charges. Covered entities must uphold patients’ rights and ensure effective communication about their privacy.
Three covered entities exist: health plans, healthcare clearinghouses, and healthcare providers. Health plans include:
- Health insurance companies.
- HMOs (health maintenance organizations).
- Company health plans.
- Government-sponsored healthcare programs (e.g., Medicare).
Healthcare clearinghouses act as third-party intermediaries between health insurers (i.e., health plans) and healthcare providers.
Read More: How to know if you’re a covered entity
Covered entities: healthcare providers
Like health plans and clearinghouses, healthcare providers play a critical role in the healthcare industry. According to HHS and the HIPAA Administrative Simplification Regulations, a healthcare provider is a “person or organization who furnishes, bills, or is paid for health care in the normal course of business.” Practitioners in this group diagnose and treat patients, maintain medical records, and handle sensitive health information.
Certain healthcare providers can access PHI and electronically submit HIPAA transactions, such as claims. These practitioners need to comply with HIPAA and, according to HHS, include:
- Nursing homes
Are you a healthcare provider?
Do you qualify as a healthcare provider? HHS points to an interactive PDF flowchart from the Center for Medicare and Medicaid Services. The tool is based on the Administrative Simplification Regulations adopted under HIPAA.
Through a series of questions, individuals or organizations can determine if they qualify as a healthcare provider or another covered entity. There are two questions to answer about healthcare providers:
- Do you furnish, bill, or receive healthcare payments?
- Do you transmit (send) any covered transactions electronically?
Anyone uncertain about which questions to answer should answer them all.