The HIPAA rules apply to all Covered Entities and Business Associates. In particular, the HIPAA Privacy Rule which protects a person’s medical records, gives patients the rights to their health information and outlines and sets restrictions and conditions on the use and disclosure of PHI. It is essential to understand the distinction between a covered entity and a business associate because the HIPAA Privacy Rule applies to each differently. Understanding how it is administered to each, helps you understand who has access to medical data and what, if any, authority they have over protected healthcare information (PHI).
In HIPAA law, covered entities are defined as health plans, healthcare clearinghouse, and health care providers who transmit PHI electronically in connection with transactions for which the HHS has developed standards. In general, these transactions undertaken by covered entities include billing and payment for health services. Covered entities can be institutions, organizations, or individuals. As aforementioned, covered entities fall into three core categories under HIPAA rule, outlined below:
- Health Plans: HMO’s, company health plans, health insurance plans, government programs that pay for healthcare
- Health Care providers: Physicians, Clinics, Psychologists, Dentists, Chiropractors, Nurses, Pharmacies (but only if they transmit information electronically that relates to a transaction for which the HHS has adopted a standard)
- Health care Clearinghouses: includes organizations that process nonstandard information to conform to the standards on behalf of other organizations.
It is highly common for many covered entities to utilise the services of the other individuals or businesses to carry out their healthcare activities and functions. These are referred to as Business Associates (BA). A health plan, healthcare clearinghouse or covered healthcare provider can all be business associates of other covered entities.
In the event that a business associate is in engaged with to carry out functions, a business associate agreement must be formed to ensure that patient data is being protected in accordance with HIPAA guidelines. This contract or arrangement must establish what exactly the BA is being used to do, and require the BA to ensure to comply with all relevant HIPAA regulations. Some examples of business associates include:
- Any consultant that performs utilization reviews for hospitals
- Health care clearinghouses that adapts a claim from a nonstandard format into a standardised one
- Third party administrators that assist a health plan with processing claims
- Independent medical transcriptionist that provides services to a physician
The onus is on the covered entity to guarantee any business associates are following HIPAA guidelines and sufficiently safeguarding protected healthcare information.
Lua is a secure communication solution that complies with HIPAA/HITECH as a Business Associate. Learn more with our HIPAA FAQs.