In this lesson, we'll go over some basics of covered entities – what covered entities are, some examples of covered entities, and what requirements covered entities all share. And at the end of the lesson, we'll provide you with a Word about the differences between covered entities and business associates.

What is a Covered Entity?

A covered entity is any provider of medical or other health services or people that have or handle PHI (protected health information). Covered entities include the following:

  • Healthcare providers
  • Health plans
  • Organizations and/or individuals that provide billing services or are paid in connection with services in the normal course of conducting business

Pro Tip: The key phrase to remember as it relates to covered entities, is that they handle PHI. This is the common element that all covered entities share.

You may recall from a previous lesson that PHI is health information that can identify an individual to whom the information belongs to. HIPAA's Privacy Rule was established to help protect PHI while in the care of either covered entities or business associates. This includes whether a covered entity or business associate is sending, receiving, or storing this information.

The two key elements to whether or not a piece of information can be considered PHI are:

  1. The H stands for Health, so the information in question must be healthcare-related.
  2. The information also must be identifiable. If the information in question cannot be used to identify the person it belongs to, then it isn't considered PHI.

Common pieces of information that are identifiable are names, addresses, dates of birth, and social security numbers. Everything an identity thief needs.

What are Some Examples of Covered Entities?

The list of covered entities is quite substantial and includes the following:

  • Physicians
  • Optometrists
  • Dentists
  • Nurses
  • Mental health providers
  • Radiologists
  • Laboratories
  • Pharmacies
  • Call centers
  • Durable medical equipment providers
  • Hospitals
  • Ambulance companies
  • Healthcare workers
  • Case managers
  • Social workers

As you can see, the list of covered entities extends well beyond healthcare professionals themselves and even beyond healthcare institutions like hospitals and clinics.

What is Required of a Covered Entity?

A covered entity is required to comply with all of HIPAA's regulations. These would include the following:

  • They are required to have risk assessments
  • They are required to have compliance training for staff
  • They are required to have a Book of Evidence that contains all the proper policies and procedures on how to handle PHI

A Word About the Differences Between Covered Entities & Business Associates

First, let's define what a business associate is.

What is a Business Associate?

A business associate is any business or person that provides a service for a covered entity, or a certain function or activity, when that service, function or activity involves the access to PHI that is maintained by the covered entity.

Examples of business associates include, but aren't limited to:

  • Lawyers
  • Accountants
  • IT contractors
  • Billing companies
  • Cloud storage services
  • Email encryption services

The key phrase from above that really defines a business associate is this: the access to PHI that is maintained by the covered entity.

What (Again) is a Covered Entity?

Remember, HIPAA covered entities are healthcare providers, health plans, and organizations – like healthcare clearinghouses – that electronically transmit health information for transactions covered by HHS' standards.

Without going too far down the rabbit hole, health plans are defined as health insurance companies, company health plans, government programs that pay for healthcare, and HMO's. Healthcare clearinghouses are defined as transcription service companies that format data to make it compliant and organizations that process non-standard health information.

Here is the key element to remember – even if an entity is a healthcare provider, health plan, or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards.

Remember, a business associate is an entity – either an individual or a company – that is provided with access to protected health information for the purpose of providing services for a HIPAA covered entity.

Business associates are required to sign a contract with the covered entity, which is called a business associate agreement (BAA), that outlines the responsibilities of the business associate and explains what is required of them to comply with HIPAA Rules. (This is something we will tackle in more detail in a subsequent lesson.)

So, what is the Difference?

Covered entities have PHI (protected health information) while business associates merely have access to PHI. It's a bit of an ambiguous distinction, but an important distinction, nonetheless.