A covered entity includes healthcare providers, health plans, and healthcare clearinghouses, all required to comply with HIPAA. Informal caregivers, however, are unpaid individuals who provide care in a private setting. They are not legally required to comply with HIPAA.
Under HIPAA, "covered entity" refers to organizations or individuals involved in the healthcare field that handle PHI and must comply with HIPAA’s privacy and security rules. Covered entities include:
Covered entities have access to protected health information (PHI) and must implement safeguards to protect information from unauthorized access, use, or disclosure. Failure to comply with HIPAA can result in significant penalties, including fines and legal action.
Informal caregivers are typically family members, friends, or neighbors providing unpaid care to someone with a health condition, disability, or chronic illness. Informal caregivers are often responsible for tasks such as assisting with daily activities, managing medications, and offering emotional support. While they play a role in the well-being of their loved ones, they are not considered healthcare providers in the formal sense.
Informal caregivers are not part of an official healthcare organization and do not operate within a regulated healthcare system, so they are not classified as covered entities under HIPAA and do not need to comply with HIPAA's privacy and security rules.
See also: HIPAA Compliant Email: The Definitive Guide
The primary distinction between a covered entity and an informal caregiver lies in their legal obligations to protect health information:
“Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information,” writes the HHS. Adherence to HIPAA regulations includes implementing administrative, physical, and technical safeguards to protect PHI. They must also provide certain rights, such as a patient’s access to their health information and the ability to request corrections. Covered entities must ensure that PHI is only used or disclosed for authorized purposes, such as treatment, payment, or healthcare operations.
According to Families Caring for an Aging America, “Caregivers have no special status under the HIPAA Privacy Rule, although their role as caregivers is relevant to providers' exercise of professional judgment over disclosure.”
While not legally bound by HIPAA, informal caregivers are still entrusted with sensitive health information. Informal caregivers must respect the privacy and confidentiality of the individuals they care for, including being mindful of how they share or discuss health information and ensuring that it is only disclosed to those who need to know.
While informal caregivers are not legally bound by HIPAA, they should carefully handle health information by being discreet, securing any records they keep, and only sharing information with those who need to know.
An informal caregiver could become a covered entity if they transition into a formal healthcare role or establish a healthcare practice that handles PHI electronically. In that case, they would be subject to HIPAA regulations.
Covered entities that fail to comply with HIPAA can face significant penalties, including fines ranging from $127 to $1.5 million, legal action, and damage to their reputation. The severity of the penalty depends on the nature and extent of the violation.
Go deeper: What are the consequences of not complying with HIPAA?