HIPAA- Covered Entities and Business Associates

HIPAA Covered Entities and Business Associates

 

The HIPAA Rules apply to covered entities and business associates.  

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.

View an easy-to-use question and answer decision tool to find out if an organization or individual is a covered entity.

 

A Covered Entity is one of the following:

A Health Care Provider

A Health Plan

A Health Care Clearinghouse

This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

 

 

Fast Facts for Covered Entities

The Privacy Rule provides federal protections for personal health information held by covered entities, and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
 

The Privacy Rule does not require you to obtain a signed consent form before sharing information for treatment purposes.  Health care providers can freely share information for treatment purposes without a signed patient authorization.

 

The Privacy Rule does not require you to eliminate all incidental disclosures.  The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures.  In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.

 

The Privacy Rule does not cut off all communications between you and the families and friends of patients. As long as the patient does not object, The Privacy Rule permits you to:

  • share needed information with family, friends, or anyone else a patient identifies as involved in his or her care;
  • disclose information when needed to notify a family member or anyone responsible for the patient's care about the patient's location or general condition;
  • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.

 

The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  Unless the patient objects, basic information such as phone number, room number and general condition can: 

  • be listed in the hospital directory;
  • be given to people who call or visit and ask for the patient;
  • be given to clergy along with religious affiliation--when provided by the patient--even if the patient is not asked for by name.

The Privacy Rule does not prevent child abuse reporting.  You may continue to report child abuse or neglect to appropriate government authorities. 

The Privacy Rule is not anti-electronic.  You can communicate with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of appropriate safeguards to protect patient privacy. 

 

 

For more information, see here:  https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

 

These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  These may not be the most recent versions.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information or the information linked to.  Please check the linked sources directly.