Organizations that must comply with HIPAA rules, including health care providers, health plans, and health care clearinghouses.
A covered entity is an organization or individual that is directly subject to HIPAA regulations. HIPAA defines three categories of covered entities. Health care providers include any provider of medical or health services who transmits health information in electronic form in connection with a covered transaction, such as doctors, hospitals, clinics, dentists, pharmacies, nursing homes, and psychologists. Health plans include health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and military health programs. Health care clearinghouses are entities that process nonstandard health information into standard electronic formats.
Covered entities bear primary responsibility for HIPAA compliance. They must implement the Privacy Rule to protect all forms of PHI, the Security Rule to safeguard ePHI, and the Breach Notification Rule to report unauthorized disclosures. Covered entities must designate a Privacy Officer and Security Official, provide workforce training, conduct regular risk analyses, develop and maintain written policies and procedures, and provide patients with a Notice of Privacy Practices. They are also responsible for ensuring that all business associates with whom they share PHI sign appropriate Business Associate Agreements and comply with applicable HIPAA requirements.
Not every organization that handles health information is a covered entity. The key factor for health care providers is whether they transmit health information electronically in connection with HIPAA-covered transactions such as claims, eligibility inquiries, or referral authorizations. A provider who only conducts paper-based transactions is technically not a covered entity under HIPAA, though this scenario is increasingly rare. Organizations unsure of their status can use the CMS Covered Entity Decision Tool. Importantly, even if an organization is not a covered entity, it may still be subject to HIPAA as a business associate if it handles PHI on behalf of a covered entity.