The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to provide industry-wide standards for handling protected health information (PHI).
HIPAA Privacy Rules mandate organizations and other stakeholders within the healthcare industry handling PHI to comply with its regulations.
According to HIPAA rules, Covered Entities and their Business Associates should develop and implement procedures that safeguard PHI.
While the HIPAA regulations are clearly indicated, the biggest dilemma remains on who falls under the category of a Covered Entity.
Wondering whether you qualify as a Covered Entity or not? Read on as we uncover the three types of Covered Entities under the HIPAA watch!
Covered Entities refer to healthcare providers, health plans, and clearinghouses involved in transferring Protected Health Information.
PHI transmission may include payment of healthcare services, treatment, billings, operations, or insurance coverage.
The 3 main categories of Covered Entities under HIPAA regulations include:
These Healthcare Providers refer to individuals or institutions responsible for providing patients with diagnosis, treatment, care, and follow-up services.
Covered Entities should maintain the HIPAA Privacy and Security Rules required to safeguard the patient’s health information.
Examples of healthcare providers who fall under the HIPAA Covered Entity bracket include:
The above individuals and companies have to be transmitting information electronically. The transaction should be under the Department of Human and Health Sciences (HHS) standards.
The Healthcare plans refer to organizations responsible for providing, arranging, paying, or reimbursing any part of the cost incurred in providing healthcare services.
These Healthcare plans include:
In general, health plans are some forms of insurance covering health care costs. Three types of health plans fall under the Covered Entity bracket in the United States. They include:
A health insurance issuer refers to an insurance company or an insurance service licensed to participate in the insurance business within a state. This issuer is subject to state laws that regulate insurance.
HMOs, refer to types of health insurance that limit coverage to care provided by doctors working for or in contract with the HMO.
Usually, HMOs do not cover care outside the network unless there is an emergency. You may need to work or reside in the HMO’s service area to be eligible for coverage.
The insured party has to select a primary care physician from the local healthcare providers’ networks under an HMO plan.
The person insured may not see a specialist outside the network without first receiving an official referral from their primary care physician.
A group health plan is a welfare benefit plan for employees offered by an employer or organization responsible for providing medical care for the participant and their families through insurance or reimbursement.
Healthcare clearinghouses refer to organizations responsible for processing nonstandard health information to ensure that it complies with data standards on behalf of other enterprises.
According to the National Institute of Standards and Technology (NIST), healthcare clearinghouses are responsible for receiving standard transactions from other entities.
The clearing houses then process the health information into nonstandard for the receiving entity. The vice versa also applies.
Clearing houses are electronic hubs that enable healthcare organizations to transmit claims electronically to insurance carriers.
They have to transmit the data in a secure way to safeguard the protected health information (PHI).
A clearing house interacts with PHI in that it checks the medical claims for errors and ensures that the claims get processed correctly by the insurance company. The claims and related medical records are shared electronically with the appropriate medical organizations.
A credible clearinghouse enables seamless data sharing between you, your provider, and their networks, hence improving the claim process.
An excellent example of a clearing house is Emdeon. It is the largest healthcare clearinghouse in the U.S. healthcare system, responsible for revenue and payment management and connecting payers, patients, and providers in the healthcare system.
Clearinghouses have to comply with the HIPAA Security Rule, or they will otherwise face heavy fines for breaches.
According to the department of Human and Health Sciences (HHS), one of the leading healthcare clearinghouses, Anthem, Inc., had to pay $16 million after a series of cyberattacks.
The 2015 incident exposed electronic PHI to close to 79 million people. The stolen e-PHI included names, social security numbers, email addresses, dates of birth, physical addresses, and employment information.
The fourth type of Covered Entity is a Hybrid Entity which refers to any single legal entity that performs the covered and noncovered functions in its operations.
A covered function is any function whose performance makes the individual or organization perform it to become a health plan, healthcare clearinghouse, or healthcare provider.
The Covered Entity should designate healthcare components within the organization it operates in for it to become a Hybrid Entity.
A Hybrid Entity may not include its health care components, research components that do not function as health care providers, or do not conduct functions similar to a business associate.
The research components of a Hybrid Entity functioning as healthcare providers and performing electronic transactions should be added to the Hybrid Entity’s healthcare components. The research components then become subject to the HIPAA Privacy Rule.
According to HHS, covered entities should comply with HIPAA’s Security and Privacy Rules.
The HIPAA Security Rule demands that Covered Entities establish reasonable and effective administrative, technical, and physical safeguards to protect e-PHI.
The Covered Entities should comply with the following requirements:
The HIPAA Privacy Rule addresses the use of PHI by covered entities by outlining standards for individuals; right to control the usage of their health information.
The Privacy Rule gives an individual the right to examine and access a copy of their medical records.
Individuals have a right to authorize Covered Entities to share their e-PHI with a third party.
Individuals and organizations involved in transferring, storing, and processing protected health information should comply with HIPAA regulations.
However, these individuals or organizations have to operate as health plans, healthcare providers, or healthcare clearing houses to fall under the category of Covered Entities.
We have provided a detailed list of the three main categories of Covered Entities plus Hybrid Entities. Read through the article to understand your position.
Flatirons Development will be your most trusted partner if you are a Covered Entity looking into developing healthcare software for your organization.
We are HIPAA-Compliant, offering software development for mobile and web applications of your dreams.
We’re willing to sign a Business Agreement with your organization to ensure HIPAA compliance.