skip to Main Content

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates?

Covered Entities Under HIPAA

Covered entities under HIPAA are individuals or entities that transmit protected health information (PHI) in the way of claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization.
PHI includes:

  • Any conversations a patient has with a physician or nurse about his or her treatment
  • A patient’s billing information
  • Medical information in the patient’s health insurance company’s database

Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, HMOs, and company health plans. Healthcare providers include doctors, dentists, psychologists, chiropractors, nursing homes, pharmacies, and clinics.
HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

Business Associates Under HIPAA

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Examples of Business Associates.

  • A third party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involve access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

Prior to a business associate being given PHI, or access to systems containing PHI, they must enter into a HIPAA-compliant business associate agreement with the covered entity.  A business associate agreement is a contract in which the responsibilities of the business associate with respect to HIPAA and PHI are described.

Penalties for Noncompliance with HIPAA Rules

The failure to comply with any aspect of HIPAA can result in financial penalties. The maximum penalty for a HIPAA violation is $50,000 per incident, up to a maximum of $1.5 million, per violation category, per year.
If HIPAA violations have been allowed to persist for several years, or if multiple violations of HIPAA Rules are discovered, multi-million-dollar fines are possible. Criminal penalties are also possible for certain HIPAA violations.

Ponemon 2017 Cost of Data Breach Study:

Estimate $380 per health care record

Indirect Costs

  1. Turnover of existing customers – Loss of customers / patients
  2. Diminished customer acquisition – customers / patients not using a practice (Reputation is damaged)

Direct Costs

  1. Detection and escalation costs -forensics investigative activities, crisis management activities
  2. Notification costs – IT activities to create contact database, determination of regulatory requirements, postage, etc
  3. Post data breach costs – help desk activities, inbound communications from customers, identity protection services, etc.
Back To Top