The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and sets forth a comprehensive set of standards for protecting sensitive patient health information. The Privacy Rule applies to all entities that fall within the definition of a "covered entity", which generally includes healthcare providers, health plans, and clearinghouses.
However, there are certain types of entities that are excluded from the definition of a covered entity, and as such, are not subject to the requirements of the Privacy Rule. These entities are commonly referred to as "non-covered entities." In this blog post, we will provide a brief overview of non-covered entities under HIPAA and introduce a free tool you can use to determine if your organization is a covered entity.
What is a Non-Covered Entity Under HIPAA?
As mentioned above, a non-covered entity is an entity that is not subject to the requirements of the HIPAA Privacy Rule. There are two types of non-covered entities under HIPAA: business associates and hybrid entities.
Business associates are defined as individuals or organizations that perform certain functions or activities on behalf of, or provide certain services to, covered entities that involve the use or disclosure of protected health information (PHI). Hybrid entities are defined as covered entities that have both covered and non-covered components.
It is important to note that although business associates and hybrid entities are not subject to the requirements of the Privacy Rule, they may be subject to other provisions of HIPAA, such as the Security Rule and Breach Notification Rule. In addition, business associates and hybrid entities may have obligations under state law.
A non-covered entity is an individual, business, or agency that is NOT a health care provider that conducts certain transactions in electronic form, NOT a health care clearinghouse, and NOT a health plan.
Examples of non-covered HIPAA entities:
- Fitbit
- Olive AI
- Zus Health
- Vim
What is a Covered Entity under HIPAA?
A “covered entity” is the inverse of the above, defined in 45 CFR 160.103 as:
- A health plan;
- A health care clearinghouse; or
- A health care provider who transmits any health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (45 CFR Part 162).
Examples of covered entities include:
- Hospital organizations that transmit patient information electronically for billing purposes;
- Physician practices, clinics, and groups that use electronic medical records or engage in online prescription ordering; and health insurers that maintain online policyholder portals
- Pharmacies
- Some laboratory companies also would be considered covered entities if they electronically bill for their services or engage in other electronic transactions for which HHS has adopted standards.
Is a Business Associate Agreement (BAA) required for non-covered entities?
Despite not being subject to HIPAA, non-covered entities still play an important role in protecting the privacy of an individual’s health information. Any business that deals with Protected Health Information (PHI) from a covered entity must sign a Business Associate Agreement (BAA). The BAA is a contract between the business associate and the covered entity that outlines the expectations and responsibilities of both parties with regard to PHI.
In order for a BAA to be valid, the covered entity must have a direct relationship with the business associate. A direct relationship means that the business associate provides services to or on behalf of the covered entity. An indirect relationship exists when the business associate provides services to or on behalf of another business associate of the covered entity. When this is the case, each business associate in the chain must have its own BAA in place with the covered entity.
Free Covered Entity HIPAA Compliance Tool
Unsure if your organization is a Covered Entity? Find out with this free tool.
It can be confusing to determine if an entity is a covered entity or a non-covered entity. That’s why we put together a free tool that you can use based on CMS guidelines to determine if an individual, business, or agency is a covered entity. You can use the form embedded below or click on the "free tool" link above.
Confirm Your Knowledge
Q: Which option below is not a covered entity under HIPAA?
- Pharmacist
- Worker’s Compensation Plan
- Doctor’s Office
- Health Insurance Plan
A: Worker’s Compensation Plan.
Summary
There are two types of non-covered entities under HIPAA: business associates and hybrid entities. Business associates are defined as individuals or organizations that perform certain functions or activities on behalf of, or provide certain services to, covered entities that involve the use or disclosure of protected health information (PHI). Hybrid entities are defined as covered entities that have both covered and non-covered components.
Although business associates and hybrid entities are not subject to the requirements of the Privacy Rule, they may be subject to other provisions of HIPAA, such as the Security Rule and Breach Notification Rule. In addition, business associates and hybrid entities may have obligations under state law.