2. What Is a HIPAA Covered Entity?
3. Business Associates and Covered Entities
4. What Is the HITECH Act?
5. Keeping Electronic Health Records Secure
6. Frequently Asked Questions


What Is a HIPAA Covered Entity?

A HIPAA covered entity is any organization or corporation like a hospital or health insurance provider that handles people's personal health information or health records. HIPAA (the Health Insurance Portability and Accountability Act) sets the privacy and security standards for keeping personal medical information confidential.

In the Code of Federal Regulations — Section 160.103 of title 45 — covered entity is said to be any health care clearinghouse, plan, or provider that transmits information about patient health in electronic form.

This includes:

  • hospitals
  • medical centers
  • physician offices
  • companies who offer medical billing services and information systems

Health plans can be administered by employers, health insurance companies, HMOs, and the federal government (think Medicare, Medicaid, and the VA). Accordingly, these are also types of covered entities.

All covered entities must adhere to the HIPAA Privacy Rule which protects patient information regarding everything from health status to payment history. This information is considered protected health information (PHI).

Business Associates and Covered Entities

Any organization that must abide by HIPAA compliance needs to know what a business associate is. A business associate is any individual or entity involved with the use or disclosure of PHI. They typically work on behalf of or provide services to a HIPAA covered entity. They can include such persons and entities as:

  • accountants
  • consultants
  • payers (insurance providers)
  • pharmacies
  • laboratories
  • e-health record software vendors

What Is the HITECH Act?

Covered entities are required to comply with regulations set forth by HIPAA and the HITECH Act. The HITECH (Health Information Technology for Economic and Clinical Health) Act aims to standardize procedures in the exchange of health care information.

HITECH encourages health care providers to digitize their medical records. This saves the government roughly $10 billion. It strengthens privacy and security to guard protected health information, referred to as PHI. HITECH expands the scope of the Health Insurance Portability and Accountability Act (HIPAA) to mandate public notification of data breaches containing PHI. The act also requires stricter compliance and accounting for electronic PHI requests.

Keeping Electronic Health Records Secure

Lauren Kunze, CEO of Pandorabots, a platform for building and deploying chatbots, predicts that chatbots will eventually be implemented in health care, finance, and any organizations having to do with Children's Online Privacy Protection Act regulations.

Jon Russell, senior vice president and CIO at John Muir Health in Walnut Creek, California, said that traditional cybersecurity technologies are not effective in this day and age and that next-generation cybersecurity technologies are necessary. John Muir Health is using vArmour "which is helping us with our virtual environment [and] microsegmentation, giving us visibility of traffic flowing east, west, very effectively." Russell said that they use Cylance, an AI-based threat prevention technology which allows them to avoid some of the problems they have seen around ransomware. Russell added that, in addition to these next-generation cybersecurity detective and defensive technologies, backing up data is also crucial, and that storage is going to be the primary vector that will be attacked, and having a storage strategy is very important. Russell suggests a tiered storage strategy that would help a health care organization recover from an attack.

Frequently Asked Questions

Is compliance with HIPAA necessary if a mental health organization does not bill insurance directly?

Counselors should take precautions to ensure the confidentiality of all information. A therapist or supervisor must use technological platforms that are as secure as possible and meet required laws. The APA Code of Ethics, or the Ethical Principles of Psychologists and Code of Conduct states that the Ethics Code applies across a number of contexts, including in person, phone, postal, internet, or other electronic transmissions. It also states that social workers must take all precautions to maintain confidentiality when information is transmitted to other parties via computer, e-mail, fax, phone, answering machines, or other electronic technology.

Is compliance with HIPAA necessary if a health care organization does not bill insurance directly?

U.S. health care providers must still perform security duties even in the case of HIPAA release. For many clinicians, HIPAA compliance is a useful approach to meeting their needs for security and privacy because there are so many resources available for achieving it.

In the U.S., HIPAA is the most authoritative and thoroughly developed set of rules that define the standards for security as well as privacy regarding health care. Business associates like accountants, consultants, and pharmacies, work on behalf of HIPAA covered entities. A covered entity must comply with HIPAA and HITECH mandates for protection of PHI.

If you need help with understanding HIPAA, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Menlo Ventures, and Airbnb.