The United States Department of Health and Human Services (HHS) states that a Covered Entity is one of the following:
1. A Healthcare Provider:
– Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies (referring only to providers that send, receive, or store private information in electronic form).
2. A Health Plan:
– Health insurance companies, HMOs, company health plans, Healthcare-related government programs (Medicaid, Medicare, etc.)
3. A Healthcare Clearinghouse
– This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
All Covered Entities who fall under these categories MUST, under HIPAA, comply with all requirements and procedures to protect the privacy and security of any health information being accessed, stored, or transmitted electronically.
While this may be straightforward, some Covered Entities are not able to conduct all of their healthcare-related actions internally. When this is the case, a third-party organization will typically partner with the Covered Entity to meet compliance requirements and be deemed HIPAA compliant. This third-party organization is referred to as a Business Associate.
A “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a Covered Entity. In short, the role of a Business Associate is to help comply with the HIPAA Privacy Rule.
In the event that the Covered Entity partners with a Business Associate for HIPAA compliance purposes, then a Business Associate Agreement or BAA must be in place in accordance with the law. In short, a BAA is a written contract between a Covered Entity and a Business Associate outlining the responsibilities of both parties.
If you are unsure of whether your organization is a Covered Entity or not, talking to a lawyer or legal team is a great way to determine what category your business falls into.