What is a Covered Entity? Definition.

A covered entity is an entity required to comply with the HIPAA Administrative Simplification provisions. If an entity is a covered entity for any purpose under HIPAA Administrative Simplification, it is a covered entity for all purposes under HIPAA - meaning it must comply with not only the Privacy Rule, but also the Electronic Transactions Rule, the Security Rule, etc.

What is a Covered Entity

Examples of a Covered Entity

According to HIPAA Privacy and Security, there are three types of covered entities:

  • Health plans (which include employer-sponsored group health plans).
  • Health care clearinghouses.
  • Health care providers who transmit any health information in electronic form in connection with a listed transaction.

[45 CFR § 160.103.]

Employers need to determine if they offer a covered health plan or if they offer any health services on-site that qualify as a covered health care provider.

What is a Covered Entity

Definition of a Covered Health Plan.

Generally, a covered health plan is an individual or group plan that provides, or pays the cost of, medical care. See the flowchart image to help you determine if you are a covered health plan. [45 CFR § 160.103.] Medical care is defined as amounts paid for:

  • Diagnosis, cure, mitigation, treatment, or prevention of disease, or amounts paid for the purpose of affecting any structure or function of the body,
  • Transportation primarily for and essential to the medical care listed above, and
  • Insurance covering the medical care and transportation costs listed above.

[42 USC § 300gg-91(a)(2).]

Definition of a Health Plan Provider

Definition of a Health Care Provider.

The term health care provider is defined broadly. See the flowchart image to help you determine if you are a health care provider. It includes:

  • A provider of services as defined in section 1861(u) of the PHS Act, 42 USC § 1395x(u), including, for example, a hospital,
  • A provider of medical or health services as defined in section 1861(s) of the PHS Act, 42 USC § 1395x(s), for example a physician, and
  • Any other person or organization who furnishes, bills, or pays, or is paid for health care in the normal course of business.

[45 CFR § 160.103 (definition of "health care provider").]

The last part of the definition in particular is meant to be functional – a person is a health care provider if the activities in which the person is engaged meet the definition of health care. It is, therefore, important to know the meaning of the term "health care."

Definition of a Healthcare Provider

Appropriate PHI Safeguards. Includes Training, Policies, Procedures.

Regarding the treatment of protected health information, Covered Entities shall use all appropriate safeguards to prevent use or disclosure of Protected Health Information received from, or created or received on behalf of, the Covered Entity other than as provided for in the Business Associate Agreement or as required by law.

  1. These safeguards will include, but not be limited to: Training
    • Providing annual training to relevant employees, contractors and subcontractors on how to prevent the improper use or disclosure of Protected Health Information;
    • Update and repeat training on a regular basis;
  2. Administrative Safeguards
    • Adopting policies and procedures regarding the safeguarding of Protected Health Information;
    • Enforcing those policies and procedures, including sanctions for anyone found not in compliance
  3. Technical and Physical Safeguards
    • Implementing appropriate technical safeguards to protect Protected Health Information, including access controls, authentication and transmission security; and
    • Implementing appropriate physical safeguards to protect Protected Health Information, including workstation security and device and media controls.
Appropriate PHI Safeguards. Includes Training & Policies, Procedures