HIPAA compliance for covered entities: What you need to know

With data breaches aplenty, covered entities are facing expensive lawsuits - not to mention the subsequent effects on patient experience. You are likely a HIPAA-covered entity if you work in any capacity with a healthcare organization. That means you need to comply with the regulation. 

The Health Insurance Portability and Accountability Act (HIPAA) has existed since 1996. HIPAA aims to keep protected health information (PHI) safe. 

It covers organizations and individuals. In this post, we dig into who covered entities are, covered transactions, and penalties for noncompliance with HIPAA rules. 

A HIPAA-covered entity is an individual, institution, or organization that transmits PHI electronically. The Department of Health and Human Services (HHS) specifies which entities fall under HIPAA. 

They include healthcare providers, health plans, clearinghouses, and some of their business associates.  

Covered entities can use and disclose electronic PHI for operations, treatment, and payment. Other than maintaining a HIPAA compliance checklist, these entities should ensure their IT systems comply with HIPAA directives.   

The following are the main forms of covered entities under HIPAA. 

Healthcare providers

Facilities of any size that offer healthcare services and electronically transmit health data typically qualify as covered entities. They include the following: 

• Pharmacies

• Hospitals

• Free clinics

• Freestanding ERs

• Telehealth

• Psychologists

• Doctors

• Clinics

• Nursing homes

• Dentists

• Chiropractors

The HIPAA Privacy Rule applies to healthcare facilities and third parties that use billing services.

Health plans

Individual or group plans offering healthcare insurance or medical care qualify as covered entities. Examples include: 

• Vision, dental, and general health plans

• Long-term care insurers

• Health maintenance organizations (HMOs)

• Prescription drug insurers

• Health insurance companies 

• Government-backed healthcare programs, such as Medicaid, Medicare, veteran or military health plan

• Health plans sponsored by employees

• Health plans sponsored by the government or church 

• Multiemployer health plans

However, the following plans are exempt: 

• Workers compensation carriers, life insurers, and associates that don’t deal with ePHI 

• Auto insurance organizations (when not offering health benefits).

• An employer-run health plan with less than 50 individuals

• Government-run schemes that don’t offer or cover healthcare, like food stamps

Healthcare clearinghouses

Healthcare clearinghouses include entities that process nonstandard information. 

Examples are:

• Billing service companies

• Community health management information systems

• Repricing organizations 

When processing services for healthcare providers or health plans, these entities often access personally identifiable information (PII). 

These clearinghouses qualify as Business Associates (BAs) in these instances. This means they’re liable to specific parts of the Privacy Rule on their application and disclosure of PII. 

A business associate agreement is a written document highlighting each party's responsibilities concerning PHI. 

A business associate is an organization or individual that creates, maintains, or transmits PHI on behalf of a covered entity. 

They include accountants, attorneys, IT support vendors and shredding companies. 

HIPAA guidelines require covered entities to only partner with BAs who can guarantee total protection of PHI. This assurance should be a contract or other agreement between the BA and the covered entity.  

The HHS can audit BAs and subcontractors for HIPAA compliance. To meet HIPAA requirements, entities should have a Business Associate Agreement (BAA) for all three levels.

According to the HHS, the business associate contract or agreement must include:

• A description of the permitted or required ways that the business associate can use PHI 

• A caution that the associate can only use/disclose PHI as allowed by the contract or law

• A requirement for the associate to apply preventive measures to prevent the disclosure or misuse of PHI

The HHS has published standards in 45 CFR Part 162, known as covered transactions. They include: 

• Healthcare status

• Payment and remittance advice

• Healthcare claims transmissions

• Treatment authorizations

• Eligibility checks

• Coordination of benefits

• Enrollment and disenrollment

• Referral certification and authorization

• Healthcare electronic fund transfers 

The penalties for violating HIPAA guidelines include civil monetary fines from $100–$50,000 per violation, depending on an entity's level of culpability. 

When the HSS uncovers multiple violations of HIPAA directives or if violations have gone unchecked for several years, the fines could reach millions of dollars. Intentional violations could attract criminal penalties, such as fines and potential imprisonment. 

Other than financial penalties, corrective action plans could be necessary to address certain violations. A state attorney general could also initiate a civil action, leading to monetary damages. 

Covered entities could also be required to undertake correction action plans to update their policies and procedures to meet the standards stipulated by HIPAA.

Yes. Covered entities can use PHI for healthcare operations, treatment, and payment without obtaining explicit patient consent. However, they must follow HIPAA directives to ensure PHI’s privacy and security. 

According to HIPAA directives, the minimum necessary standard requires covered entities to limit PHI's use, disclosure, and request to the minimum amount necessary. This principle allows for maximum patient information privacy as it limits access to only the information needed for a specific task.