HIPAA FAQ – Covered Entities
Not unless the organization maintaining the tissue repository conducts some other activity that makes it a covered entity. For example, tissue repositories that conduct testing of specimens for the benefit of transplant recipients based on another health care provider’s orders would be covered providers under HIPAA if they conduct electronic transactions for which the HHS has adopted standards.
Covered entities under HIPAA are health care clearinghouses, certain health care providers, and health plans. A “group health plan” is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA.
Thus, the Privacy Rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities. However, the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer or plan sponsor when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. See 45 CFR 164.504(f). Among these conditions is receipt of a certification from the employer or plan sponsor that the health information will be protected as prescribed by the rule and will not be used for employment-related actions.
The covered group health plan must comply with Privacy Rule requirements, though these requirements will be limited when the group health plan is fully insured. See the Answer to the FAQ “Is a fully insured health plan subject to all Privacy Rule requirements?” That question, hundreds of FAQs, and a wide range of other guidance and materials to assist covered entities in complying with HIPAA and the Privacy Rule, are available at the Department of Health and Human Services Office for Civil Rights Web site.
The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. In particular, a fully insured group health plan that does not create or receive protected health information other than summary health information (see definition at 45 CFR 164.504(a) (GPO)) and enrollment or disenrollment information is not required to have or provide a notice of privacy practices. See 45 CFR 164.520(a)(2) (GPO).
Moreover, these group health plans are exempt from most of the administrative responsibilities under the Privacy Rule. See 45 CFR 164.530(k). These health plans are still required, however, to refrain from intimidating or retaliatory acts (45 CFR 164.530(g) (GPO)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h) (GPO)). The documentation requirements at 45 CFR 164.530(j) apply to these group health plans only to the extent of amendments, if any, made to the plan documents for the sharing of information with the plan sponsor under 45 CFR 164.504(f) (GPO). Additional information about the Privacy Rule, including guidance and technical assistance materials is available through the Department of Health and Human Services Office for Civil Rights Web site.
No. Certain plans are specifically excluded from having to comply with the HIPAA Administrative Simplification requirements, including the Privacy Rule. See 45 CFR 160.103 (GPO). An employee welfare benefit plan that has less than 50 participants and is administered by the employer that establishes and maintains the plan is not a HIPAA covered entity. These plans, therefore, are not subject to the Privacy Rule. For additional information regarding compliance with the Privacy Rule, see the Office for Civil Rights Web site.
A “group health plan” is a covered entity under the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards. A “group health plan” is defined as an “employee welfare benefit plan,” as that term is defined by the Employee Retirement Income Security Act (ERISA), to the extent that the plan provides medical care. See 42 USC § 1320d(5)(A) (DOJ) and 45 CFR 160.103 (GPO). Thus, to the extent that a flexible spending account or a cafeteria plan meets the definition of an employee welfare benefit plan under ERISA and pays for medical care, it is a group health plan, unless it has fewer than 50 participants and is self-administered. Employee welfare benefit plans with fewer than 50 participants and that are self-administered are not group health plans. Flexible spending accounts and cafeteria plans are not excluded from the definition of “health plan” as excepted benefits. See 45 CFR 160.103 (GPO), paragraph (2)(i) of the definition of “health plan.”
The Social Security Administration (SSA) is not a covered entity. The collection of individually identifiable health information is not a factor in determining whether an entity is a covered entity. Covered entities are defined in HIPAA; they are
- health plans,
- health care clearinghouses, and
- health care providers that transmit any health information in electronic form in connection with a transaction covered in the HIPAA Transactions Rule.
SSA meets none of these criteria as defined at 45 CFR 160.103 (GPO).
No, providing services to or acting on behalf of a health plan does not transform a third party administrator (TPA) into a covered entity. Generally, a TPA of a group health plan would be acting as a business associate of the group health plan. Of course, the TPA may meet the definition of a covered entity based on its other activities (such as by providing group health insurance). See 45 CFR 160.103 (GPO).
No, the listed types of policies are not health plans. The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs:
- Coverage only for accident, or disability income insurance, or any combination thereof
- Coverage issued as a supplement to liability insurance
- Liability insurance, including general liability insurance and automobile liability insurance
- Workers’ compensation or similar insurance
- Automobile medical payment insurance
- Credit-only insurance
- Coverage for on-site medical clinics
- Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.
Yes, if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities.
For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103. See also the Disclosures for Emergency Preparedness – A Decision Tool.
This tool addresses the question of whether a person, business or agency is a covered health care provider, health care clearinghouse or health plan. If the health department performs some covered functions (i.e., those activities that make it a provider that conducts certain transactions electronically, a health plan or a health care clearinghouse) and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the health care component(s) of the organization and thereby become a type of covered entity known as a “hybrid entity.” Most of the requirements of the Privacy Rule apply only to the hybrid entity’s health care component(s). If a health department elects to be a hybrid entity, there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department. See 45 CFR 164.103 and 164.105 for more information about hybrid entities.
Learn More:
The HIPAA Law and Related Information (CMS)
As required by Congress in HIPAA, the Privacy Rule covers:
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits.
Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth below, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
A covered entity, including a health care provider, may not use or disclose protected health information (PHI), except either: (1) as the HIPAA Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. Generally, the HIPAA Privacy Rule does not permit health care providers to disclose PHI to media personnel, including film crews, without having previously obtained a HIPAA-compliant authorization signed by the patient or his or her personal representative. In other words, health care providers may not allow members of the media, including film crews, into treatment areas of their facilities or other areas where PHI will be accessible in written, electronic, oral or other visual or audio form, without prior authorization from the patients who are or will be in the area or whose PHI will be accessible to the media. It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.
In addition, the health care provider must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.
There are very limited situations in which the HIPAA Privacy Rule permits a covered entity to disclose limited PHI to the media without obtaining a HIPAA authorization. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. In that case, the covered entity may disclose limited PHI about the incapacitated patient to the media if, in the hospital’s professional judgment, doing so is in the patient’s best interest. See 45 CFR 164.510(b)(1)(ii). In addition, a covered entity may disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name. See 45 CFR 164.510(a).
The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility.
A health care provider may utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place. If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate. Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed. See 45 CFR 164.504(e)(2). As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI. In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated.
Finally, covered entities can continue to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the covered entity does not share PHI with the media without the prior authorization of the individuals who are the subject of the PHI.
- “Small health plans” (health plans with annual receipts of $5 million or less), must be in compliance with the Privacy Rule;
- and Covered entities (including small health plans) had to have in place with their business associates written contracts or arrangements that meet Privacy Rule requirements.
Small Health Plans. Small health plans that are subject to HIPAA received an additional year – until April 14, 2004 – to come into compliance with the Privacy Rule. See 45 CFR 164.534(b)(2).
Plans that are self-administered and have fewer than 50 participants are excluded from HIPAA’s Administrative Simplification requirements. The Department of Health and Human Services’ (HHS) “Are you a Covered Entity?” decision tool helps entities determine whether they are health plans or other HIPAA covered entities. These materials, hundreds of FAQs, and a wide range of other guidance and materials to assist covered entities in complying with HIPAA and the Privacy Rule, are available on the OCR Web site.
Business Associate Agreements. As of April 14, 2004, whenever the Privacy Rule requires covered entities to have written contracts or other arrangements with their business associates, these documents must include provisions that comply with Privacy Rule requirements. As modified in August, 2002, the Privacy Rule provided most covered entities with up to one additional year – or until April 14, 2004 – to amend written contracts or other written arrangements that existed prior to October 15, 2002, to meet the Rule’s business associate requirements. (Unless they renewed automatically, contracts or other written arrangements were not eligible for this transition period if they were renewed, modified or newly entered into on or after October 15, 2002.) See 45 CFR 164.532(d) and (e). To assist covered entities in meeting these requirements, OCR has published a Fact Sheet regarding compliance with the Privacy Rule’s business associate requirements, sample business associate contract provisions, and a number of related Answers to Frequently Asked Questions, all of which are available on the OCR Privacy Web site.