Key Points:
- Understanding the difference between Covered Entities and Non-Covered Entities is crucial for compliance with HIPAA, especially the Privacy Rule.
- Covered entities include health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims.
- Non-covered entities, not bound by the Privacy Rule, can include wearable tech, health apps, or providers not dealing with electronic data. It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.
If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA.
Our ultimate guide to HIPAA regulations outlines everything you need to know about the federal law, including a breakdown of the different rules you’ll need to abide by.
However, when it comes to the Privacy Rule, you’ll only need to comply if you’re classed as a covered entity.
What is a HIPAA covered entity?
According to the Centers for Medicare and Medicaid Services, a covered entity includes health plans, clearinghouses, and certain health care providers.
That could look like:
- Health insurance companies
- Healthcare, such as Medicare, that’s paid for by the government
- Providers who submit claims electronically, like doctors, pharmacies, and dentists
- Clearinghouses who transmit data between medical professionals and health plans
Typically, any organisation or person that transmits data around payment transactions for medical treatment or insurance is classed as a covered entity under HIPAA. That could be hospitals, pharmacies, clinics, and nursing homes, as well as certain medical researchers if they are providing healthcare services and transmitting health data.
What is a non-covered entity under HIPAA?
Non-covered entities don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA. They are not healthcare providers, healthcare clearinghouses, or health plans, but often store health-related information.
Examples of non-covered entities include:
- Wearable tech such as FitBit or Apple Watch
- Health apps you might have downloaded like Noom or MyFitnessPal
- Providers who don’t deal with electronic data
Be sure to check whether your business is covered or non-covered to make sure you’re fully compliant with all the legal requirements. There can be heavy financial penalties to pay if you’re found to be flouting the law.
What is a BAA?
Covered entities might need to use a business associate to help them process healthcare data.
A BAA is a Business Associate Agreement. To ensure the business associate is compliant, a BAA must be drawn up that outlines exactly what the business associate has been employed to do, and reiterates that they must comply with HIPAA.
A business associate could be a subcontractor like a transcriptionist, or a data transmission service provider. The Legal Information Institute at Cornell Law School outlines their full definition of a business associate, in 45 CFR § 160.103.
A covered entity could also be a business associate of another covered entity.
How can you check if you’re a covered or non-covered entity under HIPAA?
The Department of Health and Human Services, and the Center for Medicare and Medicaid Services have created a tool you can use, to help you understand whether you’re a covered or a non-covered entity.
You can check it out here.
Can Metomic help you comply with HIPAA?
Metomic is a data security software tool that helps security and compliance teams identify where sensitive data is stored in their SaaS apps, and understand who has access to it.
It can help you discover where PHI and PII are stored, and you can set custom rules to remediate or redact data when it’s shared in apps like Slack, Google Drive, or Jira.
Ben Van Enckevort, CTOat Metomic, says:
“Healthcare organisations will hugely benefit from Metomic’s ability to accurately detect sensitive PHI so they can minimise the risk to their business. Real-time employee notifications can help security teams educate the wider workforce on their security policies too so they can start building a culture that really does care about security.”
