Covered entities, business associates and their subcontractors as applicable, must comply with HIPAA Rules. If an entity does not meet the definition of a covered entity or a business associate, HIPAA Rules do not apply.
Covered Entities
By definition, any organization that collects, creates, or transmits PHI, is known as a covered entity. Healthcare organizations that are considered covered entities include:
- Covered healthcare providers such as chiropractors, clinics, dentists, doctors, nursing homes, pharmacies, and psychologists.
- Health plans such as health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for healthcare (e.g Medicare and Medicaid).
- Health care clearinghouses such as billing services, repricing companies, community health management information systems, and value-added networks.
Business Associates
Business associates are vendors to a covered entity that creates, receives, maintains or transmits protected health information (PHI) while performing their functions that involve PHI.
Business associates may include, but not limited to these careers:
- Lawyers
- Accounting or consulting firms
- Cloud service providers
- File sharing vendors
- Shredding service providers
- Translator service providers
- Consultants hired to conduct internal audits, perform coding reviews, etc.
- Business Associates
- Information technology vendors.
According to HHS, a covered entity can only disclose PHI to an entity to help carry out their healthcare operations, but not for the business associate’s independent use or purpose. For example, a business associate or a subcontractor cannot use the covered entity’s PHI for its own email communications.
Subcontractors
Similar to business associates, subcontractors are vendors to a business associate that creates, receives, maintains or transmits PHI on behalf of a business associate. For instance, a business associate may delegate a function, service, or activity to an entity to streamline their operations. While a covered entity may take help from a business associate, business associates may take help from another entity. Under HIPAA, these entities are called business associate subcontractors.