In this post, we’ll explain the difference between covered and non-covered entities under HIPAA, so you can get a clear understanding of where your healthcare organisation fits.
If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA.
Our ultimate guide to HIPAA regulations outlines everything you need to know about the federal law, including a breakdown of the different rules you’ll need to abide by.
However, when it comes to the Privacy Rule, you’ll only need to comply if you’re classed as a covered entity.
According to the Centers for Medicare and Medicaid Services, a covered entity includes health plans, clearinghouses, and certain health care providers.
That could look like:
Typically, any organisation or person that transmits data around payment transactions for medical treatment or insurance is classed as a covered entity under HIPAA. That could be hospitals, pharmacies, clinics, and nursing homes, as well as certain medical researchers if they are providing healthcare services and transmitting health data.
Non-covered entities don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA. They are not healthcare providers, healthcare clearinghouses, or health plans, but often store health-related information.
Examples of non-covered entities include:
Be sure to check whether your business is covered or non-covered to make sure you’re fully compliant with all the legal requirements. There can be heavy financial penalties to pay if you’re found to be flouting the law.
Covered entities might need to use a business associate to help them process healthcare data.
A BAA is a Business Associate Agreement. To ensure the business associate is compliant, a BAA must be drawn up that outlines exactly what the business associate has been employed to do, and reiterates that they must comply with HIPAA.
A business associate could be a subcontractor like a transcriptionist, or a data transmission service provider. The Legal Information Institute at Cornell Law School outlines their full definition of a business associate, in 45 CFR § 160.103.
A covered entity could also be a business associate of another covered entity.
The Department of Health and Human Services, and the Center for Medicare and Medicaid Services have created a tool you can use, to help you understand whether you’re a covered or a non-covered entity.
You can check it out here.
Metomic is a data security software tool that helps security and compliance teams identify where sensitive data is stored in their SaaS apps, and understand who has access to it.
It can help you discover where PHI and PII are stored, and you can set custom rules to remediate or redact data when it’s shared in apps like Slack, Google Drive, or Jira.
Ben Van Enckevort, CTO at Metomic, says:
“Healthcare organisations will hugely benefit from Metomic’s ability to accurately detect sensitive PHI so they can minimise the risk to their business. Real-time employee notifications can help security teams educate the wider workforce on their security policies too so they can start building a culture that really does care about security.”