HIPAA Covered Entities and Business Associates Covered Entities and Business Associates
Under the HIPAA laws the Privacy and Security Rules apply only to covered entities – health plans, health care clearinghouses, and certain health care providers. Most health care providers and health plans use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these "business associates" if the providers obtain satisfactory assurances that the business associate will use the information only for legitimate purposes and safeguard the information from misuse. The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules.
Covered Entities include:
- Health Care Provider
- Health Plans
- Health Care Clearinghouses
Health Care Providers
Such as:
- ChiropractorsClinics
- Dentists
- Doctors
- Nursing Homes
- Pharmacies
- Psychologists
... but only if they create, receive, maintain, or transmit PHI in an electronic form.
Health Plans
This includes:
- Health insurance companies
- HMOs
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans' health care programs
Health Care Clearinghouses
Includes entities that process or convert nonstandard health information they receive from another entity into a standard format or vice versa.
Business Associates
Some examples of Business Associates:
- Attorneys whose legal services to a health provider involve access to protected health information
- Consultants that perform utilization reviews for a hospital
- CPA firms whose accounting services to a health care provider involve access to protected health information
- Medical transcriptionists
- Pharmacy benefit managers that manage a health plan's pharmacist network
- Third party administrator that assists a health plan with claims processing.
