Is Your Organization Considered As A HIPAA-Covered Entity?

HIPAA Covered Entity

HIPAA Covered Entity


Originally, the term “HIPAA Covered Entity” was not actually defined in the Healthcare Insurance Portability and Accountability Act when it was first introduced in August 1996. This term was first enacted in HHR’s proposed HIPAA Privacy Rule when the Rule was released for public comments in November 1999. Subsequently, this term was officially published after the amendments had been made in December 2000.

The HIPAA Privacy Rule has been changed from the “Administrative Simplification Rule” of the original legislation. This Rule required the Secretary of the Department of Health & Human Services to establish a set of national standards for the protection of certain health information. These standards define what kind of health information is meant to be protected and who is responsible to protect this information (covered entities). 

Definition of HIPAA Covered Entity:

The Privacy Rule defines a Covered Entity as any healthcare plan, clearinghouse or any healthcare provider who transmits Electronic Protected Health Information (PHI or ePHI) according to the standards defined by the Department of Health and Human Services. 

However, there are also few gray areas about the definition of HIPAA Covered Entity. For instance, compensation of the employees working for a health insurance company is not regarded as health plans. Despite the fact, they will be mentioned in the receipt of personally identifiable information. Usually, it is considered to be protected during the process of settling compensation claims of workers. 

Going more deeper into the gray areas of the definition of a HIPAA Covered Entity, it only receives PHI when it is providing processing services to a health plan or healthcare provider. In this way, a healthcare clearinghouse becomes a Business Associate and not considered as a HIPAA Covered Entity.

Is an employer considered as a HIPAA Covered Entity?

One would think that if a clearinghouse meets the qualification standards of HIPAA Covered Entity then an employer must do as well. Also, the HR department of an employer receives a lot of personally identifiable information that is classified as “protected”. An employer would also be not considered as a HIPAA Covered entity even if he/she sponsors a self-insured group health plan. 

It is because a self-insured group health plan is considered under a legal entity from the sponsoring employer. Therefore, HIPAA Privacy Rules only considers the group health plan and not the employer as a HIPAA Covered Entity. An employer can also be considered as a HIPAA Covered entity if it also administers the group health plan and it comprises of more than fifty participants. Although, this scenario occurs in rare cases. Usually, a third party administers a large plan by providing the services as a Business Associate to the group health plan. 

Moreover, certain conditions for the disclosure of information are also applied to an employer. PHI is shared with an employer during the execution of administrative functions such as claim submission, medical billing, coding, and medical audit, etc. 

If PHI is being shared with an employer under these certain conditions then the employer will remain protected according to standards defined by HIPAA Privacy Rule. The purpose of this protection is not meant for employment-related actions. Due to this fact, an employer (although not a Covered Entity) has to follow the same rules that are defined for a HIPAA Covered Entity in certain circumstances. 

Example of a HIPAA Covered Entity:

To better define the term “HIPAA Covered Entity”, I have mentioned some of the examples for HIPAA Journal that are actually originated from the Department of Health & Human Services. These examples are not all-inclusive and they can be changed at any time.

Health Plans:

HIPAA-covered health plans usually cover the strategies related to the insurance of healthcare treatment, dental treatment, vision treatment or prescription drugs. Other HIPAA Covered Entity Examples include health maintenance organizations (“HMOs”) and long-term healthcare insurers (excluding nursing home fixed-indemnity policies) within the health plan category. As I have mentioned earlier that employer-sponsored group health plans, government and church-sponsored health plans and multiemployer health plans are all considered as a Covered Entity under HIPAA. 

Healthcare Clearinghouses:

The clearinghouses receive claims information from healthcare providers during the medical billing process. They check the claims if they contain errors and verify the format of each claim is compatible with the software of payers. Healthcare clearinghouses, community health management information systems and repricing companies are classified as HIPAA Covered Entity. As the sole purpose of these entities is related to PHI. 

Healthcare Providers:

The last definition of a HIPAA Covered Entity was changed in 1999. According to the modified definition, the healthcare providers who submit HIPAA transactions electronically are considered as a Covered Entity under HIPAA. Electronic translations may include; claims, benefit eligibility inquiries, referral authorization requests, or other transactions. Note that it only considers those transactions that have defined set of standards by HHS under the HIPAA Privacy or Security Rule. 

Difference Between HIPAA Covered Entity and Business Associate

In this article, I have provided the reference for a business associate several times. Hence, it is important for you to know the difference between a business associate and a HIPAA covered entity. I have already explained that a healthcare clearing is considered as a HIPAA covered Entity only if it is sole-purpose for the role that is related to PHI. 

What is a Business Associate?

This term refers to an entity whose primary objective doesn’t relate to the use of PHI but this entity can access PHI. Certainly, this entity is allowed to access PHI in the provision of a service performed on behalf of a HIPAA Covered Entity. 

Business Associates are equally responsible for the security protocol of any PHI that encounters as a HIPAA Covered Entity, since the publication of the Final Omnibus Rule (introduced in 2013), A Covered entity should perform due diligence on the service provider before sharing PHI with a Business Associate. They should also obtain a signed Business Associate Agreement to set up the permissible use of the PHI. Even the Business Associates can be penalized if they are involved in a breach of PHI  due to the absence of an Agreement in place. 

If a Business Associate is involved in electronic exchange of PHI then it has also an authority to conduct due diligence on the subcontractor. Therefore, Business Associates should ensure that the subcontractor complies with the Privacy and Security guidelines. Business Associates should also sign an agreement with the subcontractor who then takes responsibility in case a PHI breach occurs. 

How Does a HIPAA Covered Entity Works For Another HIPAA Covered Entity?

It is the most complicated scenario when a HIPAA Covered entity provides services to another Covered Entity under HIPAA. According to the HIPAA Privacy Rule, there is no need for a Covered Entity to sign a Business Associate Agreement with another Covered Entity in order to share PHI for treatment purposes. For instance, a radiologist can interpret diagnostic images on behalf of a local physician.  

However, if a hospital (Covered entity A) enlisted the services of another hospital (Covered Entity B) to provide the training to medical students. As it would be essential for Covered Entity A to sign a Business Associate Agreement before disclosing PHI to Covered entity B. Similarly, if a healthcare clearinghouse was unable to format a claim due to incompatibility with the payer’s software then it would be required to sign a Business Associate Agreement with a healthcare clearinghouse that was able to format the claim. 


It is important to add that an employee of a HIPAA Covered Entity is neither a Business Associate nor a Covered Entity under HIPAA in the above-mentioned case. According to the American Hospital Association, any person who conducts the services of Covered Entity is considered under the direct control of such Entity. Whether the Covered Entity makes them get paid or not. This statement also includes nurses, agencies, temporary workers, and volunteers along with the employees. 

Medical Billing Benefits is a healthcare newswire that empowers the medical business in the United States with comprehensive news distribution. Subscribe our newsletter in order to stay up-to-date with the latest updates and trends in the healthcare industry. 

Read Previous

The Future Of Healthcare Business_Medical Coding With AI

Read Next

How Does An Insurance Payer Deny A Medical Claim Due To Entity Code Error?

Leave a Reply

Your email address will not be published.