The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and sets forth a comprehensive set of standards for protecting sensitive patient health information. The Privacy Rule applies to all entities that fall within the definition of a "covered entity", which generally includes healthcare providers, health plans, and clearinghouses.
However, there are certain types of entities that are excluded from the definition of a covered entity, and as such, are not subject to the requirements of the Privacy Rule. These entities are commonly referred to as "non-covered entities." In this blog post, we will provide a brief overview of non-covered entities under HIPAA and introduce a free tool you can use to determine if your organization is a covered entity.
What is a Non-Covered Entity Under HIPAA?
As mentioned above, a non-covered entity is an entity that is not subject to the requirements of the HIPAA Privacy Rule. There are two types of non-covered entities under HIPAA: business associates and hybrid entities.
Business associates are defined as individuals or organizations that perform certain functions or activities on behalf of, or provide certain services to, covered entities that involve the use or disclosure of protected health information (PHI). Hybrid entities are defined as covered entities that have both covered and non-covered components.
It is important to note that although business associates and hybrid entities are not subject to the requirements of the Privacy Rule, they may be subject to other provisions of HIPAA, such as the Security Rule and Breach Notification Rule. In addition, business associates and hybrid entities may have obligations under state law.
A non-covered entity is an individual, business, or agency that is NOT a health care provider that conducts certain transactions in electronic form, NOT a health care clearinghouse, and NOT a health plan.
Examples of non-covered HIPAA entities:
Fitbit
Olive AI
Zus Health
Vim
What is a Covered Entity under HIPAA?
A “covered entity” is the inverse of the above, defined in 45 CFR 160.103 as:
A health care provider who transmits any health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (45 CFR Part 162).
Examples of covered entities include:
Hospital organizations that transmit patient information electronically for billing purposes;
Physician practices, clinics, and groups that use electronic medical records or engage in online prescription ordering; and health insurers that maintain online policyholder portals
Pharmacies
Some laboratory companies also would be considered covered entities if they electronically bill for their services or engage in other electronic transactions for which HHS has adopted standards.
Is a Business Associate Agreement (BAA) required for non-covered entities?
Despite not being subject to HIPAA, non-covered entities still play an important role in protecting the privacy of an individual’s health information. Any business that deals with Protected Health Information (PHI) from a covered entity must sign a Business Associate Agreement (BAA). The BAA is a contract between the business associate and the covered entity that outlines the expectations and responsibilities of both parties with regard to PHI.
In order for a BAA to be valid, the covered entity must have a direct relationship with the business associate. A direct relationship means that the business associate provides services to or on behalf of the covered entity. An indirect relationship exists when the business associate provides services to or on behalf of another business associate of the covered entity. When this is the case, each business associate in the chain must have its own BAA in place with the covered entity.
Free Covered Entity HIPAA Compliance Tool
Unsure if your organization is a Covered Entity? Find out with this free tool.
It can be confusing to determine if an entity is a covered entity or a non-covered entity. That’s why we put together a free tool that you can use based on CMS guidelines to determine if an individual, business, or agency is a covered entity. You can use the form embedded below or click on the "free tool" link above.
Confirm Your Knowledge
Q: Which option below is not a covered entity under HIPAA?
Pharmacist
Worker’s Compensation Plan
Doctor’s Office
Health Insurance Plan
A: Worker’s Compensation Plan.
Summary
There are two types of non-covered entities under HIPAA: business associates and hybrid entities. Business associates are defined as individuals or organizations that perform certain functions or activities on behalf of, or provide certain services to, covered entities that involve the use or disclosure of protected health information (PHI). Hybrid entities are defined as covered entities that have both covered and non-covered components.
Although business associates and hybrid entities are not subject to the requirements of the Privacy Rule, they may be subject to other provisions of HIPAA, such as the Security Rule and Breach Notification Rule. In addition, business associates and hybrid entities may have obligations under state law.
Covered entities include health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims. Non-covered entities, not bound by the Privacy Rule, can include wearable tech, health apps, or providers not dealing with electronic data.
Entities that are either workers' compensation insurers, workers' compensation administrative agencies, or employers (not considered covered entities based on other criteria) are not covered by HIPAA.
These covered entities are required to protect patients' protected health information (PHI). Marketers, who may use PHI for marketing purposes, and parents/legal representatives, who have access to the PHI of their children, are not covered entities under the HIPAA Privacy Rule.
Covered entities are required by law to cooperate with complaint investigations. If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.
paper, or other media, you have responsibilities for safeguarding health information. The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the HIPAA Security Rule covers electronic protected health information (e-PHI).
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
HIPAA allows exemption for entities providing only worker's compensation plans, employers with less than 50 employees as well as government funded programs such as food stamps and community health centers.
What's not subject to HIPAA may surprise you, including pharmaceutical companies, employers and universities. “When you have an accident at work, when you have a Family Medical Leave Act claim, when you have a doctor's note for why you missed work, none of that is covered by the HIPAA rules,” Nahra said.
State agencies like child protective services and law enforcement agencies also fall outside of HIPAA's scope because their primary functions do not involve the electronic transmission of health information for transactions covered by HIPAA.
Non-covered entities, not bound by the Privacy Rule, can include wearable tech, health apps, or providers not dealing with electronic data. It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information.
Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
A covered entity may disclose PHI without the individual's permission for treatment, payment, and health care operations purposes. For other uses and disclosures, the Privacy Rule generally requires the individual's written permission, which is an “authorization” that must meet specific content requirements.
A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.
Life insurers, employers, workers compensation carriers, most schools and school districts, many state agencies like child protective service agencies, most law enforcement agencies, and many municipal offices are exempt from the HIPAA Security Rule, even though they may have health information about you.
Exceptions include employer-funded group health plans with less than 50 participants, and government-funded health centers. Also excluded as a covered entity are automobile insurance companies, workers compensation plans, and liability insurance plans.
Introduction: My name is Twana Towne Ret, I am a famous, talented, joyous, perfect, powerful, inquisitive, lovely person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.