The HIPAA Definition of Covered Entities Explained
The HIPAA definition of Covered Entities is generally explained as health plans, health care clearinghouses, and health care providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has developed standards. However, exceptions to this definition exist that can be responsible for unjustified complaints to the HHS’ Office for Civil Rights.
According to HHS´ Enforcement Highlights web page, the most common reason for HIPAA-related complaints being rejected by the HHS’ Office for Civil Rights is that the complaints allege a violation committed by an entity that is not a HIPAA Covered Entity. While it is not surprising some complaints are rejected for this reason, the fact it is the most common reason for complaints being rejected is notable when you consider the complexity of HIPAA and the volume of complaints the agency receives and rejects.
Since 2003, the HHS’ Office for Civil Rights has received more than 300,000 complaints and rejected more than 200,000. This implies tens of thousands of individuals – and possibly workforce members – do not understand the HIPAA definition of Covered Entities.
The HIPAA Definition of Covered Entities
The HIPAA definition of Covered Entities can be found in 45 CFR §160.103 of the Administrative Simplification General Rules. The definition is much the same as appears in the opening paragraph of this article inasmuch as:
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
“Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” (“this subchapter” meaning Parts 160,162 and 164 of the Administrative Simplification Regulations).
What the HIPAA definition of Covered Entities does not explain is what exceptions apply – potentially contributing to misunderstandings about what HIPAA Covered Entities are and unjustified complaints being sent to the HHS’ Office for Civil Rights.
Health Plans and Health Insurance Issuers
The HIPAA definition of Covered Entities implies that all health plans are Covered Entities; however, that is not the case. Employers’ self-insured and self-administered health plans are exempt if they have fewer than fifty members (under the definition of group health plans in §160.103). Even if an employer’s self-insured health plan is administered externally, it may still qualify for a partial exemption if the employer does not sponsor a health plan that includes a medical Flexible Spending Account or Health Reimbursement Account.
Additionally, although “health insurance issuers” are included in the HIPAA definition of health plans (also in §160.103), they are excluded from the above definition of Covered Entities if they provide “excepted benefits” listed in §300gg-91(c)(1) of the US Code relating to Public Health and Welfare. These excepted benefits include:
- Coverage only for accident, or disability income insurance, or any combination thereof.
- Coverage issued as a supplement to liability insurance.
- Liability insurance, including general liability insurance and automobile liability insurance.
- Workers’ compensation or similar insurance.
- Automobile medical payment insurance.
- Credit-only insurance.
- Coverage for on-site medical clinics.
- Other similar insurance coverage under which benefits for medical care are secondary or incidental to other insurance benefits.
Therefore, if you are involved in an auto accident, and your auto insurance provider covers your healthcare costs following the accident, the auto insurance provider is not required to comply with HIPAA with respect to the privacy and security of your individually identifiable health information. Other exceptions may also apply to health insurance issuers when certain types of benefits are offered separately (i.e., dental care, home health care, etc.) or when coverage is for a specified type of disease not included in a coordinated health insurance policy (i.e., COVID-19 travel insurance).
The HIPAA definition of Covered Entities is clear that only healthcare providers that conduct electronic transactions for which the HHS has developed standards are considered to be Covered Entities. But what are the transactions, and which providers might not conduct them electronically? The standards the definition relates to can be found in Subparts D to S of the HIPAA Administrative Requirements (Part 162). Generally, these Subparts concern claims transactions between healthcare providers and health plans, the operating rules for claims, and the code sets to use in transactions.
In most cases, healthcare providers recover treatment costs from health plans, but there are some healthcare providers (for example, mental health counselors) who bill clients directly. Provided they do not use a third party for billing, these healthcare providers are not Covered Entities.
Healthcare providers that do recover treatment costs from health plans – but don’t do so electronically – are also excluded from the HIPAA definition of Covered Entities. Healthcare providers in this category can check eligibility, seek authorizations, and bill for payment via non-digital paper-to-paper fax or over the phone, and will not be Covered Entities as long as any health information disclosed in these communications is not stored electronically prior to the disclosure.
As soon as one item of health information relating to a covered transaction is communicated electronically to a health plan by a healthcare provider (i.e., via email), the healthcare provider qualifies as a Covered Entity and every transaction automatically becomes a HIPAA-covered transaction – making the healthcare provider a HIPAA Covered Entity.
It is important to be aware that if a healthcare provider does not qualify as a Covered Entity because it does not conduct HIPAA transactions or does not conduct them electronically, the healthcare provider may still be required to comply with the Privacy, Security, and Breach Notification Rules if they provide a service for or on behalf of another Covered Entity as a Business Associate.
School, college, and university medical facilities are generally assumed to not qualify as Covered Entities because students’ health information is classified as part of student educational records under the Family Educational Rights and Privacy Act (FERPA). Therefore, when FERPA-covered health information is disclosed by a school, college, or university to a health plan, it is not HIPAA-covered Protected Health Information and the standards of the Privacy Rule and Security Rule do not apply. However, not all educational institutions are covered by FERPA.
If a school, college, or university does not receive federal funds, it is not an educational institution as defined by FERPA. In such cases, individually identifiable health information collected, received, maintained, or transmitted to a health plan qualifies as Protected Health Information and the educational institution qualifies as a HIPAA Covered Entity – provided the disclosure relates to a transaction for which HHS has developed standards and the transaction is conducted electronically.
One further complication relating to educational institutions is if a school, college, or university medical facility provides health care for both students and the public. In such circumstances, the educational institution becomes a “hybrid entity” in which students’ health information is protected by FERPA, and the publics’ health information is subject to the HIPAA Privacy and Security Rules. Under a hybrid arrangement, both sets of health information must be isolated from each other.
More about Hybrid, Partial, and Affiliated Entities
Schools, colleges, and universities are not the only examples of hybrid entities. Employers that administer self-funded group plans can be hybrid entities inasmuch as health information relating to employment records has to be isolated from Protected Health Information relating to health claims. Similarly, insurance issuers that offer health insurance and (for example) auto insurance have to keep each type of record separate – even when an auto insurance client receives medical treatment as part of their auto insurance policy following an auto accident.
Partial entities are different from hybrid inasmuch as they only have to comply with specific parts of HIPAA. Certain types of externally administered self-insured health plans have already been provided as an example a partial entity, and a further example is prescription drug card sponsors.
Prescription drug card sponsors were added to the HIPAA definition of Covered Entities by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. However, as these entities do not conduct electronic transactions, they are only required to comply with the standards of the Privacy Rule relating to permissible uses and disclosures of Protected Health Information.
Affiliated Entities are legally separate Covered Entities under the same ownership or control. Being affiliated enables units within the group to disclose Protected Health Information to each other without the need for individual Business Associate Agreements. This system increases integration and efficiency but can also lead to unjustified complaints about impermissible uses and disclosures.
The Organizational Requirements of the General Rules include additional safeguards to prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, healthcare providers under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, it is not possible to disclose Protected Health Information to the parent organization.
Why HIPAA Definitions are Important to Know
The HIPAA definition of Covered Entities is just one example of the complexity of HIPAA and the challenges of compliance. However, with a better understanding of the HIPAA definitions, some organizations may be able to reduce the amount of effort required to comply with HIPAA – provided they let patients and clients know to avoid unjustified complaints to HHS’ Office for Civil Rights.