In the context of HIPAA compliance, a covered entity refers to a healthcare provider, health plan, or healthcare clearinghouse that transmits electronic protected health information (ePHI) in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards. This includes health insurers, HMOs, employer-sponsored health plans, and government programs that pay for healthcare, among others.
Covered entities under HIPAA must comply with the Privacy, Security, and Breach Notification Rules, which set standards for protecting the confidentiality, integrity, and availability of PHI. Covered entities are also required to enter into contracts, known as business associate agreements, with any business associates they work with to ensure that those entities also comply with HIPAA regulations.
HIPAA’s Privacy Rule requires covered entities to obtain written authorization from patients before using or disclosing their PHI, with some exceptions such as for treatment, payment, and healthcare operations. Covered entities must also provide patients with a Notice of Privacy Practices (NPP), which describes how the entity uses and discloses PHI and explains patients’ rights with respect to their PHI.
The Security Rule requires covered entities to implement technical, administrative, and physical safeguards to protect ePHI from unauthorized access, use, and disclosure. This includes implementing access controls, encryption, and contingency planning measures, as well as training employees on HIPAA compliance.
The Breach Notification Rule requires covered entities to notify affected individuals, the media, and the Secretary of Health and Human Services in the event of a breach of unsecured PHI.
It’s important to note that covered entities are not the only entities subject to HIPAA regulations. Business associates, which are entities that provide services to covered entities and have access to PHI, are also required to comply with HIPAA regulations. This includes third-party billing companies, IT service providers, and others who handle PHI on behalf of covered entities.