Organizations that must comply under HIPAA are called covered entities and include health plans, certain healthcare providers, and healthcare clearinghouses. HIPAA, the Health Insurance Portability and Accountability Act of 1996, protects the rights and privacy of patients. Covered entities and their business associates must understand all aspects of HIPAA to effectively protect patients during care. Especially when safeguarding patients’ protected health information (PHI) with cybersecurity measures such as HIPAA compliant email. This also means knowing who qualifies as a covered entity and who must comply with HIPAA at all times.
Health plans and healthcare providers are uncomplicated, which is why today we will dig deeper into healthcare clearinghouses.
A HIPAA refresher
HIPAA is U.S. legislation created to improve health coverage standards and combat fraud and abuse related to PHI. The Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles).
The most referenced is Title II, which sets policies and procedures for maintaining patient privacy, with the following rules:
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect electronic PHI (ePHI)
- Enforcement Rule (2006): sets the guidelines for enforcing HIPAA and penalizing organizations
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
- Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections
The U.S. Department of Health and Human Services (HHS) amends HIPAA as needed. At the same time, the government also looks to strengthen nationwide cybersecurity with further legislation.
Covered entities: health plans and healthcare providers
A covered entity is an individual, institution, or organization that must comply with HIPAA.
There are three categories of covered entities: health plans, healthcare providers, and healthcare clearinghouses.
Health plans include health insurance companies, HMOs (health maintenance organizations), company health plans, and government-sponsored healthcare programs (e.g., Medicare).
Healthcare providers are those that transmit electronic information in connection with a transaction for which HHS adopted a standard. These may include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
We’ll explore healthcare clearinghouses below.
The Privacy Rule applies only to covered entities while also permitting these organizations to share information under certain provisions. A business associate is a person or entity that performs certain functions or activities that involves PHI. But before this occurs, covered entities must sign a business associate agreement with their business associates.
Covered entities: healthcare clearinghousesAn expanded definition from the National Institutes of Health states that a healthcare clearinghouse is:
A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
In other words, healthcare clearinghouses act as third-party intermediaries between healthcare providers and health insurers (i.e., health plans). The most important feature of these organizations is that they must work directly with PHI. In fact, healthcare clearinghouses are classified as such because their sole role is PHI-related.
A similar organization whose primary role is unrelated to PHI is instead a business associate. This is because they instead perform a task on behalf of a covered entity.