HIPAA compliance applies to covered entities and business associates, but what is the definition of a HIPAA covered entity and what are HIPAA business associates?
Knowing the definition of a covered entity and business associate is essential. If you are classed as either, you must comply with HIPAA Rules. There are severe financial penalties for noncompliance with HIPAA and ignorance is not a valid defense.
What is the Definition of a HIPAA Covered Entity?
The definition of a HIPAA covered entity is a healthcare provider, health plan or healthcare clearinghouse that electronically transmits protected health information for transactions for which the Department of Health and Human Services has adopted standards. The above healthcare organizations are not considered covered entities if they do not transmit protected health information electronically.
Healthcare providers includes hospitals, medical centers, clinics, physicians, chiropractors, psychologists, dentists, pharmacies and nursing homes. Health plans includes company health plans, health insurers, health maintenance organizations (HMOs), and government programs that pay for healthcare. Healthcare clearinghouses include organizations that process non-standard health information and transcription service companies.
What is the Definition of a HIPAA Business Associate?
Since healthcare organizations often work with vendors that need access to PHI in order to complete duties under the terms of their contracts, those vendors must also comply with HIPAA Rules.
While the definition of a HIPAA covered entity is well understood and is limited to a fairly narrow range of entities, HIPAA business associates include a very wide range of individuals and organizations. The definition of a business associate is any entity that works with a HIPAA covered entity and performs duties that require access to protected health information.
The list of HIPAA business associates is therefore long. Business associates include billing companies, document storage firms, cloud service providers, software providers, IT consultants, computer forensics firms, third-party administrators, CPA firms, attorneys, actuaries, medical couriers, asset recycling companies, answering services, medical device manufacturers, and marketing firms.
All HIPAA business associates must enter into a contract with the covered entity – termed a Business Associate Agreement or BAA – which outlines the duties that must be performed, allowable uses and disclosures of PHI, and the requirements for protecting any PHI that is supplied or can be accessed by the business associate.
The BAA must also cover the use of subcontractors, which would also be required to comply with HIPAA Rules if they require access to PHI. It is the responsibility of the covered entity to ensure that a signed HIPAA-compliant BAA is obtained before access to PHI is provided to a business associate. A business associate must ensure that a BAA is obtained before access to PHI is provided to a subcontractor.
Am I a HIPAA Covered Entity or a Business Associate?
Many HIPAA covered entities are also business associates of other HIPAA covered entities, although not all business associates are HIPAA covered entities. Healthcare providers, such as physicians and clinics, are not necessarily covered entities, even though they may perform most of the functions of covered entities and deal with the same information.
If you are unsure whether you are a covered entity or a business associate, the full definition of a HIPAA covered entity and clarification on business associates are detailed in 45 CFR § 160.103.