The Health Insurance Portability and Accountability Act (HIPAA) can be a tricky yet necessary protocol to follow. A common misconception of those on the "outside looking in" is that HIPAA only applies to healthcare organizations like hospitals and other specialty clinics.
When looking into who is covered by HIPAA, you may be surprised to learn that several more entities have a responsibility to adhere to HIPAA guidelines as a covered entity. Some of these organizations are not even directly involved with healthcare.
HIPAA violations can be costly, so understanding your role, if any, in compliance is crucial. Continue reading to find out if you should do more to satisfy HIPAA requirements and safeguard sensitive personal health information (PHI).
What Does Covered Entity Mean?
What is a covered entity in HIPAA? In the grand scheme, HIPAA serves the purpose of safeguarding personal health information. With that in mind, a covered entity is any person or organization that stores or transmits PHI in one form or another. HIPAA-covered entity examples can include, but are not limited to, the following:
- Doctors clinics (including dentists, psychologists, physical therapists, etc.)
- Nursing homes
- Health insurance plans
- And more
4 Types of Covered Entities
Health plans under HIPAA
One of the most common covered entities is the category of health plans. You may better know these as the health benefits an employer provides to its employees. Think dental and vision plans, Medicaid, Medicare, and prescription drug plans.
You should be aware that there are some exceptions as to what is considered a health plan under HIPAA. Exceptions include coverage items like:
- Employer-funded group health plans with fewer than 50 participants
- Government-funded health clinics
- Auto insurance plans
- Liability insurance plans
- Workers compensation plans
Clearinghouses as defined by HIPAA
When looking into who or what is governed by HIPAA, clearinghouses are important to consider. They can be public or private entities and act as the third party between a healthcare provider and those paying for the service (patient or a health plan).
So, how does it work? After rendering a healthcare service, the provider generates an invoice in a format compliant with the American National Standards Institute (ANSI) — a special encoding format that turns text into a set of numbers for added security. The file is usually sent or uploaded to a digital clearinghouse, where it is examined automatically for errors or anomalies which may prevent it from being accepted by a health plan's software. The process is repeated upon reception by the health plan through their clearinghouse. The invoice is subsequently returned to the provider with a decision on acceptance.
A clearinghouse performs two main functions in serving its clients:
- Process or facilitate PHI from one entity in a non-standard format (ANSI)
- Receive a transaction from an entity and process it into a non-standard format (ANSI) for another target entity
What about your desk phone or the internet? They are used to send and receive information, so they must be considered under the rules around clearinghouses, right? Usually not! Under HIPAA, a clearinghouse would normally not include telecommunications entities (e.g. internet service providers, telephone companies). Although these services are used to convey information, unless they are particularly carrying out the duties of a clearinghouse, as outlined above, then they are not included under the HIPAA definition of covered entity.
Providers as defined by HIPAA
A provider is the healthcare organization itself. These are the doctors' clinics, chiropractors, pharmacies, etc. Since providers collect PHI to diagnose, treat and bill you, they are considered a covered entity under HIPAA.
Review the HIPAA-covered entity chart below to understand where you fit in.Data courtesy of U.S. Department of Health & Human Services
Business associates as defined by HIPAA
Digging deeper, we must also consider business associates. These are individuals or organizations that provide a service to a HIPAA-covered entity. To conduct their work they would likely have access to some or all PHI provided to the originally covered entity. Business associates can cover many industries, but generally, they can include things like:
- Billing administrators
- Cloud services providers
- Medical device manufacturers
- And more
The Bottom Line: To Ensure is to Insure!
Understanding where you fit under HIPAA is critical to avoiding a damaged reputation, fines and even jail time. Not only should you familiarize yourself with where you fit, but also what your responsibilities are within the specified category. As the heading claims — to ensure is to insure — ensure you know where you belong to insure organizational peace of mind.