Understanding HIPAA Covered Entities

Blog / Understanding HIPAA Covered Entities

table of contents icon

Table of Contents

    Leonardo Koshoni
    Leonardo KoshoniJanuary 30, 2022

    Head of Business Analysis

    HIPAA covered entities are organizations that are bound by HIPAA. As a digital healthcare company, you might be wondering if you’re included in this bracket. 

    It can be challenging to understand the full scope of HIPAA. Typically, we often think that only healthcare providers and insurers are thought of as covered entities. However, HIPAA does reach wider than this. 

    HIPAA regulations dictate the laws around handling protected health information (PHI). The priority is to protect patients private health information. This is critical for any company that stores or transfers this type of data. Even if you’re not sure if you’re a covered entity, it’s important to protect user privacy.

    Identify what kind of information your organization accesses or stores and focus on ensuring maximum security. 

    hipaa covered entity

    Types of Covered Entity

    HIPAA regulations specifically outline three categories of covered entities. These are the most familiar organizations:

    • Healthcare Providers: includes doctors, dentists, specialists, pharmacies and more.

    • Health Care Clearinghouse: entities that process nonstandard health information from another entity into a standard, or vice versa. For example, organizations that receive claim information and check for errors.

    • Health Plans: includes insurers, HMOs, government programmes like Medicare and more.

    However, recent applications of HIPAA have extended the reach of covered entities even further. Essentially, a covered entity has become anyone that handles, processes, or transmits PHI. 

    HIPAA outlines these as “Business Associates”. According to the regulations, a business associate is any organization that has access to PHI. However, their primary role may not be based on their access to PHI.

    A business associate could be a medical bill collections service, a law office or a medical transcriptionist, for example. These companies and organizations might handle PHI in the process of doing their job. However, their duties also continue outside of protected health information.

    Ultimately, if an organization comes into contact with PHI, store the data, or transfer the data, they must follow HIPAA regulations.

    Are Digital Healthcare Companies Covered Entities?

    Digital healthcare companies often fall under a covered entities category. Therefore, they must follow HIPAA. As mentioned above, if they have access to, store or transmit PHI, then they are a covered entity. 

    Digital healthcare companies don’t sit in one of the three original covered entity categories. Typically, they would be classed as a business associate. However, ultimately they must follow all of the same regulations as any other covered entity. 

    If you’re still unsure, the key is to conduct an in-depth analysis of your projects. This is where a HIPAA risk assessment might come in handy. 

    One of the first steps in a HIPAA risk assessment is to look at how you’re already handling PHI. If you haven’t previously conducted a risk assessment, take the time to look into each of your development teams. Identify what data is available within each element of your project. Do you have access to any protected health information?

    Protected health information is any identifiable health data, pertaining to an individual person or groups of people. The following are some examples of PHI:

    • Names

    • Addresses

    • Email Addresses

    • Telephone Numbers

    • Prescription Details

    • Treatment Plans

    • Diagnoses

    • Photographs

    • Test Results

    • Bank Account Numbers or Payment Numbers

    • Social Security Numbers

    The list is quite extensive. It’s safe to assume that if you carry any data on behalf of a healthcare organization within your digital health development, then it is classed as PHI. 

    Another way to identify whether your development is bound by HIPAA regulations is to find out whether your partner is. If you’re working on behalf of another company, or healthcare provider, ask them about their regulatory obligations. If they are bound by HIPAA, then it’s likely that your development is, too. 

    hipaa covered entity

    Covered Entity Obligations

    Once you have identified that you are a HIPAA covered entity, then you need to understand the HIPAA requirements. The requirements will guide what safeguards you need to put in place in order to protect personal health information. 

    In basic terms, covered entities are responsible for following three primary rules:

    1. The Privacy Rule

    2. The Security Rule

    3. The Breach Notification Rule

    The privacy rule is the most significant rule within HIPAA. It outlines appropriate safeguards for the protection of private health information. It also sets conditions under which that information can be used or stored. These are the national standards for the security of protected health information. Ultimately, it requires you to implement the noted safeguards when handling PHI, and protect it against any unauthorized use or disclosure. 

    The security rule is a subset of rules to the privacy rule. Its requirements are very similar. However, it specifically outlines the regulations for the use and disclosure of electronic protected health information. This is likely to be the most applicable rule to digital health development.

    The breach notification rule describes the procedures for handling a breach or violation. If either of these occur, you must follow the prescribed rules. The priority is to notify the appropriate parties:

    • The victims/patients affected

    • Governing bodies

    • The media

    Notification of the media is dependent on the number of patients affected by the breach. If it’s over 500, the media should be notified. 

    You have 60 days to make your notifications, under the breach notification rule. Those affected must then have the opportunity to make enquiries to the organization. This includes providing a free phone number for this sole purpose. 

    As a covered entity, it’s critical to have a full understanding of these three rules within HIPAA. Implement the privacy rule and the security rule effectively, to avoid having to make any breach notifications. However, always make preparations for the breach notification rule. It’s better to be prepared in the event of a breach. These are your primary responsibilities as a covered entity.

    At Vertrical, we develop with compliance in mind. We have teams of compliance specialists, that can guide your projects from start to finish. We know how important it is to operate under all compliance regulations, including HIPAA, GDPR and more. Contact us today to hire our teams for your next project. 



    You may also like

    Leonardo Koshoni

    American Law is Just as Relevant in Europe as the USA

    European health technology firms are already complying with GDPR and other EU regulatory requirements. Ho...

    Leonardo KoshoniNovember 1, 2021
    Leonardo Koshoni

    What Challenges does GDPR Present to American Companies?

    GDPR, the European Union’s signature data protection law that came into force in the spring of 2018 has b...

    Leonardo KoshoniOctober 20, 2021
    Sheraz Sarwar

    Blockchain's Affect on the Healthcare Sector

    Blockchain as a system of recording information is, theoretically, unhackable. Because every time a trans...

    Sheraz SarwarNovember 8, 2021


    facebook share
    facebook share
    facebook share
    facebook share
    facebook share