HIPAA compliance for covered entities: What you need to know

With data breaches aplenty, covered entities are facing expensive lawsuits - not to mention the subsequent effects on . You are likely a HIPAA-covered entity if you work in any capacity with a healthcare organization. That means you need to comply with the regulation.

The Health Insurance Portability and Accountability Act (HIPAA) has existed since 1996. HIPAA aims to keep safe.

It covers organizations and individuals. In this post, we dig into who covered entities are, covered transactions, and penalties for noncompliance with .

What are covered entities under HIPAA?

A HIPAA-covered entity is an individual, institution, or organization that transmits PHI electronically. The Department of Health and Human Services (HHS) specifies which entities fall under .

They include healthcare providers, health plans, clearinghouses, and some of their business associates.

Covered entities can use and disclose for operations, treatment, and payment. Other than maintaining a HIPAA compliance checklist, these entities should ensure their IT systems comply with HIPAA directives.

Types of covered entities

The following are the main forms of covered entities under HIPAA.

Healthcare providers

Facilities of any size that offer healthcare services and electronically transmit health data typically qualify as covered entities. They include the following:

Pharmacies
Hospitals
Free clinics
Freestanding ERs
Telehealth
Psychologists
Doctors
Clinics
Nursing homes
Dentists
Chiropractors

The HIPAA Privacy Rule applies to healthcare facilities and third parties that use billing services.

Health plans

Individual or group plans offering healthcare insurance or medical care qualify as covered entities. Examples include:

Vision, dental, and general health plans
Long-term care insurers
Health maintenance organizations (HMOs)
Prescription drug insurers
Health insurance companies
Government-backed healthcare programs, such as Medicaid, Medicare, veteran or military health plan
Health plans sponsored by employees
Health plans sponsored by the government or church
Multiemployer health plans

However, the following plans are exempt:

Workers compensation carriers, life insurers, and associates that don’t deal with ePHI
Auto insurance organizations (when not offering health benefits).
An employer-run health plan with less than 50 individuals
Government-run schemes that don’t offer or cover healthcare, like food stamps

Healthcare clearinghouses

Healthcare clearinghouses include entities that process nonstandard information.

Examples are:

Billing service companies
Community health management information systems
Repricing organizations

When processing services for healthcare providers or health plans, these entities often access .

These clearinghouses qualify as Business Associates (BAs) in these instances. This means they’re liable to specific parts of the Privacy Rule on their application and disclosure of PII.

Is a business associate agreement (BAA) required for non-covered entities?

A business associate agreement is a written document highlighting each party's responsibilities concerning PHI.

A business associate is an organization or individual that creates, maintains, or transmits PHI on behalf of a covered entity.

They include accountants, attorneys, IT support vendors and shredding companies.

HIPAA guidelines require covered entities to only partner with BAs who can guarantee total protection of PHI. This assurance should be a contract or other agreement between the BA and the covered entity.

The HHS can audit BAs and subcontractors for . To meet HIPAA requirements, entities should have a Business Associate Agreement (BAA) for all three levels.

According to the HHS, the business associate contract or agreement must include:

A description of the permitted or required ways that the business associate can use PHI
A caution that the associate can only use/disclose PHI as allowed by the contract or law
A requirement for the associate to apply preventive measures to prevent the disclosure or misuse of PHI

What are covered transactions?

The HHS has published standards in 45 CFR Part 162, known as covered transactions. They include:

Healthcare status
Payment and remittance advice
Healthcare claims transmissions
Treatment authorizations
Eligibility checks
Coordination of benefits
Enrollment and disenrollment
Referral certification and authorization
Healthcare electronic fund transfers

Penalties for noncompliance with HIPAA

The include civil monetary fines from $100–$50,000 per violation, depending on an entity's level of culpability.

When the HSS uncovers multiple violations of HIPAA directives or if violations have gone unchecked for several years, the fines could reach millions of dollars. Intentional violations could attract criminal penalties, such as fines and potential imprisonment.

Other than financial penalties, corrective action plans could be necessary to address certain violations. A state attorney general could also initiate a civil action, leading to monetary damages.

Covered entities could also be required to undertake correction action plans to update their policies and procedures to meet the standards stipulated by HIPAA.