Covered Entities
Covered entities are institutions, organizations, or persons that must comply with HIPAA regulations. They include:
- Health Plans
- Health insurance companies, HMOs, employer-sponsored health plans
- Government programs like Medicare and Medicaid
- Healthcare Providers
- Doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, dentists
- Must transmit information electronically for transactions standardized by HHS
- Health Care Clearinghouses
- Entities that convert nonstandard health information into a standard electronic format or vice versa
- Business Associates
- Persons or entities performing functions or services for a covered entity that involve use or disclosure of PHI
- Includes vendors or contractors, but not members of the covered entity’s workforce
- A covered entity can also act as a business associate for another entity
Non-Covered Entities
Non-covered entities are not directly subject to HIPAA, but some still have privacy obligations, particularly under guidance from the American Medical Association (AMA). They must ensure PHI collected is protected and not compromised. Examples include:
- Personal Health Record (PHR) vendors
- Personal record storage (exercise logs, calorie tracking, etc.)
- Providers without electronic records (e.g., some counselors)
- Public health authorities (depending on jurisdiction)