|
covered entity (HIPAA)
HIPAA's regulations
directly cover three basic groups of individual or corporate
entities: health plans, health care providers, and health
care clearinghouses.
Each of these in
turn is given an expansive regulatory definition, summarized
roughly as follows:
- health plan
means any individual or group plan that provides, or pays
the cost of, medical care -- including public and private
health insurance issuers, HMOs or other managed care organizations,
employee benefit plans, the Medicare and Medicaid programs,
military/veterans plans, and any other "policy, plan
or program" for which a principal purpose is to provide
or pay for health care services;
- health care
provider means a provider of medical or health services,
and any other person or organization who furnishes, bills,
or is paid for health care in the normal course of business;
and
- health care
clearinghouse means a public or private entity, including
a billing service, repricing company, community health information
system, and “value-added” networks and switches,
that either processes or facilitates the processing of health
information.
In short, an organization
that routinely handles protected
health information in any capacity is in all probability
a covered entity. (See 45 CFR 160.103 for the few statutory
exemptions.)
In turn, the behavior
of any person in the covered entity's workforce
is covered by extension. (Some persons, such as physicians,
are themselves covered entities.)
Organizations performing
functions involving PHI on behalf of covered entities would
be reached under the business
associate contracts that HIPAA requires for such relationships.
Behavior of individuals in the business associates' workforces
would be covered in turn.
DHHS "First
Guidance" on the Final Privacy Rule lists the following
generic requirements for covered entities:
- designating
an privacy office/officer
to be responsible for seeing that the privacy procedures
are adopted and followed; and
See also:
|
