What are HIPAA-Covered Entities, and How Does it Work?

Ross Jackman | June 26, 2023

What are HIPAA-Covered Entities, and How Does it Work?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates regulations that govern the handling of patient data by service providers and care providers in the healthcare industry. It is crucial for healthcare providers to ensure that patient data is not compromised or accidentally leaked. Entities that conduct "covered transactions" in electronic format are covered by HIPAA regulations, while those conducting transactions over-the-phone calls are not. Most of the healthcare industry has the potential to qualify as a HIPAA-covered entity, meaning they must comply with HIPAA regulations.

According to HIPAA rules, covered entities include health plans, health care clearinghouses, and healthcare providers who electronically handle health information.

Health plans may be individual or group plans that provide or pay for medical care, as well as government programs such as Medicare, Medicaid, and military healthcare programs. Compliance with the Employee Retirement Income Act is required for HIPAA-compliant health plans.

Healthcare clearinghouses manage transactions between health plans and healthcare providers to ensure accuracy and may include repricing companies, billing services, health management information communities, and health information systems. Clearinghouses decrease the risk of errors and expedite transactions such as eligibility checks, authorizations, and payments. When these entities process information for health plans, they may receive Personally Identifiable Information (PII) and are required to have a business associate (BA) for protection.

Healthcare providers who electronically handle health information may utilize e-Health technologies such as text messaging, email, websites, push notifications, and mobile-based applications. Electronic health records may contain personal information such as age, gender, ethnicity, health history, medicines, allergies, immunization status, lab test results, hospital discharge instructions, and billing information.

The HIPAA Security Rule also protects the subset of information covered by the Privacy Rule, which includes all individually identifiable health information that is created, received, maintained, or transmitted in electronic form (E-Health), and designates this information as "electronic protected health information."

Software testing and quality assurance companies ensure that products meet quality standards and client expectations for compliance with HIPAA regulations. This methodology employs black-box testing, where the QA person confirms the system's functionality without considering how it was achieved. The process goes beyond detecting bad coding and extends to ongoing checks throughout each development phase to ensure the product complies with the organization’s quality specifications. This approach aims to identify a product’s shortcomings and deficiencies before public release to avoid headaches for the development team and angry customers.


This publication is for informational purposes only, and nothing contained in it should be considered legal advice. We expressly disclaim any warranty or responsibility for damages arising out of this information and encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.

Post a Comment