What is a covered entity?

A covered entity is a term used in the context of data privacy and healthcare to describe organizations that handle sensitive health information. This concept stems from the Health Insurance Portability and Accountability Act (HIPAA). According to HIPAA, covered entities are responsible for safeguarding the privacy and security of individuals' protected health information (PHI).

Types of covered entities

There are three main types of covered entities:

1. Healthcare providers: These include doctors, dentists, hospitals, pharmacies, and other organizations that provide medical care or services. Providers become covered entities when they transmit health information electronically in connection with certain HIPAA covered transactions.
2. Health plans: These include health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid. Health plans are responsible for managing and financing the provision of healthcare services.
3. Healthcare clearinghouses: These are entities that process and convert health information from one format to another, such as billing services or repricing companies. Clearinghouses act as intermediaries between healthcare providers and health plans.

Go deeper: Who HIPAA does not apply to and why

Responsibilities of covered entities: 

Covered entities must adhere to strict rules and regulations when handling PHI. Their obligations under data privacy and healthcare laws include the following:

1. Privacy: Covered entities must implement policies and procedures to protect the privacy of PHI, limit its use and disclosure, and ensure that their workforce is trained in these procedures.
2. Security: They must maintain administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (e-PHI).
3. Breach Notification: In case of a data breach involving unsecured PHI, covered entities must notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media.

Failure to comply with these responsibilities can result in penalties, including fines and, in some cases, criminal charges.

What are business associates?

Business associates are third-party organizations that perform services for covered entities and handle PHI on their behalf. Examples of business associates include billing companies, electronic health record vendors, and IT service providers. 

Covered entities must establish business associate agreements (BAAs) with these third parties to ensure they also comply with data privacy and security rules. BAAs outline the responsibilities of business associates in protecting PHI, and any failure to adhere to these responsibilities can result in penalties for both the covered entity and the business associate.

Related: HIPAA Compliant Email: The Definitive Guide

Patient Rights under HIPAA

Patients have specific rights with respect to their PHI under HIPAA. Covered entities must uphold these rights and respond to patient requests in a timely manner, ensuring they communicate effectively with patients about their PHI and privacy options.

Some of these rights include:

1. Patients have the right to inspect and obtain a copy of their PHI maintained by a covered entity.
2. Patients can request corrections or amendments to their PHI if they believe the information is inaccurate or incomplete.
3. Patients can request an accounting of disclosures - a record of instances where their PHI was shared without authorization.
4. Patients can ask covered entities to restrict the use and disclosure of their PHI for certain purposes. However, the covered entity is not required to agree.

State-level privacy laws and regulations

In addition to HIPAA, covered entities may need to comply with state-level privacy laws and regulations governing health information handling. State laws can vary, sometimes providing even more stringent protections for PHI than federal regulations. Covered entities must know their regional compliance requirements and stay informed about any changes in state-level privacy regulations. 

Understanding the concept of covered entities is vital for anyone involved in the healthcare industry or working with health information. As organizations responsible for safeguarding PHI, covered entities are crucial in protecting personal and health information from unauthorized access and misuse.