HIPAA rules outline the  allowable uses and disclosures of protected health information (PHI). These rules also prescribe physical, administrative and technical safeguards to keep PHI safe. However, only certain entities that hold or transmit PHI must comply with HIPAA. The entities who must abide by HIPAA are covered entities. Other entities who must abide by HIPAA are business associates. Business associates are entities that perform services for covered entities that involve use or disclosure of PHI.

Who Must Abide By HIPAA: Covered Entities

The first type of entity who must abide by HIPAA is the covered entity. Notably, the term “covered entity” did not appear in the HIPAA law when that law was enacted in 1996. Rather, the term did not become part of the HIPAA “vocabulary” until the Privacy Rule was published, in 2000. 

Covered entities include:

• Health plans
• Health care clearinghouses
• Healthcare providers who transmit health information in electronic form, in connection with a HIPAA-covered transaction.  HIPAA-covered transactions are transactions involving the transmission of information between two parties to carry out financial or administrative activities related to health care.

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

What are Health Plans?

Health plans include:

• Individual and group plans that provide or pay the cost of medical care (i.e., health, dental, vision, and prescription drug insurers).
• Health Maintenance Organizations (HMOs)
• Medicare, Medicaid, and Medicare supplement insurers
• Long-term care insurers
• Employer-sponsored group health plans
• Government and church-sponsored plans
• Multi-employer health plans

If an insurance company  has separate business lines, only one of which is a health plan, HIPAA applies to the health plan business line. 

What are Healthcare Providers?

Healthcare providers include providers of medical or health services, and any other person or organization that furnishes, bills, or is paid for healthcare. Examples of healthcare providers include:

• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing homes
• Pharmacies

What are Health Care Clearinghouses?

Healthcare clearinghouses are public or private entities (including billing services, community health information systems, and value-added networks and switches), that does either of the following functions: 

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or 

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. 

Health care clearinghouses, often referred to as “medical claims” clearinghouses, act as third-party intermediaries between providers of healthcare, and those who pay for healthcare – that is, health insurers (health plans).

After a provider treats a patient, the medical office generates a claim for payment, and files that claim in its medical billing software. The bill must ultimately be received by the health insurer so the insurer can pay its portion of the bill to the provider.

The claim filed in the medical billing software, is then transformed into a file that is compliant with the American National Standards Institute (ANSI) format. An ANSI format is an encoding format – it converts text into a series of numbers. The numbers, called “numerical character sets,” can subsequently be decoded.  

Once the file is “ANSI-compliant,” the provider uploads the file to the healthcare clearinghouse. The clearinghouse, through a process known as “scrubbing,” examines the file for errors, and verifies that the claim can be read by the insurer’s software.

After scrubbing, the file is sent to the insurer. The insurer examines the file, and notes whether errors exist (i.e., whether an incorrect billing code was entered, or whether the amount charged for a service is inaccurate). Finally, the insurance company, using its health care clearinghouse, securely transmits either a denial of the claim or an acceptance of the claim to the provider. 

Who Must Abide by HIPAA: Business Associates

The second type of entity who must abide by HIPAA is known as a business associate. In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. 

Business associate functions or activities on behalf of a covered entity include:

• Claims processing;
• Data analysis;
• Utilization review; and
• Billing.

Business associate services to a covered entity are limited to:

• Legal 
• Actuarial
• Accounting
• Consulting
• Data aggregation
• Management
• Administrative
• Accreditation
• Financial

Persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.