When is a non-healthcare company a covered entity?

Covered entities extend beyond healthcare, as non-healthcare industries are entrusted with sensitive personal information. These entities must implement robust security measures, transparent data practices, and proactive compliance efforts by HIPAA regulations.

What is a Covered Entity?

In the context of privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is defined as:

"(1) health plans 

(2) health care clearinghouses

(3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards."

While the term is typically associated with healthcare organizations due to regulations like HIPAA, the scope of covered entities the term "covered entity" can refer to any organization that deals with sensitive personal information and is subject to specific data protection regulations.

More specifically, it extends to financial institutions, insurance companies, educational institutions, government agencies, and technology companies that handle sensitive personal information.

Go deeper: What is a covered entity?

Expanding the definition of covered entities

1. Financial institutions: Banks, credit unions, investment firms, and other financial institutions handle sensitive personal and financial information. The Gramm-Leach-Bliley Act (GLBA) mandates that these entities protect customers' non-public personal information, like their sensitive health information, making them covered entities under GLBA regulations.

2. Insurance companies: The insurance sector, much like healthcare, deals extensively with personal data, including health information, in the case of health insurance providers. So, insurance companies are considered covered entities, which need robust data protection measures to handle PHI.

3. Educational institutions: Schools, colleges, and universities collect a vast array of student data, ranging from academic records to health information and contact details.

In many jurisdictions, educational institutions are recognized as covered entities subject to specific data protection laws, such as the Family Educational Rights and Privacy Act (FERPA).

4. Government agencies: Depending on the jurisdiction, government agencies may be classified as covered entities and are held to stringent data protection standards to safeguard citizens' privacy rights.

More specifically, the HHS states that covered entities include "Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans' health care programs."

5. Technology companies: The HHS offers Guidance on HIPAA & cloud computing; specifically, this guidance assists such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations. It explains, "When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA."

When a covered entity (such as a healthcare provider) hires a cloud service provider (CSP) to handle electronic protected health information (ePHI) on its behalf, the CSP becomes a business associate under HIPAA. The CSP is now subject to HIPAA regulations and must comply with specific requirements regarding the protection and handling of ePHI.

It then states, "Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate."

If a business associate (such as a billing company or IT vendor) working with a covered entity decides to subcontract some of its services to a CSP. In this case, the CSP subcontractor (the CSP hired by the business associate) also becomes a business associate under HIPAA. So, even though the covered entity does not directly contract the CSP, it is still subject to HIPAA regulations because it handles ePHI on behalf of a business associate, which handles ePHI on behalf of the covered entity.

Obligations and responsibilities of covered entities

• Data security measures: Covered entities must use a platform, like Paubox, which encrypts PHI in transit and at rest.
• Privacy policies: Covered entities must develop and maintain comprehensive privacy policies that state how personal information is collected, used, stored, and shared. Privacy policies should also be easily accessible to individuals and updated regularly to reflect changes in data processing practices.
• Consent: Covered entities must obtain explicit consent from individuals before collecting their personal information and providing clear and transparent notices regarding data processing activities. Individuals should be informed about the purposes of data collection, their rights over their data, and how they can exercise those rights.
• Data breach notification: They must promptly notify affected individuals and relevant authorities in the event of a data breach that compromises the security of personal information.
• Compliance documentation: Detailed records of compliance efforts, including risk assessments, security policies, incident response plans, and employee training initiatives, must be maintained. These documents may be requested during audits or investigations by regulatory authorities.

Go deeper: How to prepare for a HIPAA audit

FAQs

What is a covered entity under HIPAA? 

A covered entity, as defined by HIPAA, is any healthcare provider, health plan, or healthcare clearinghouse that transmits any health information in electronic form.

What is a business associate under HIPAA? 

A business associate is any person or entity that performs certain functions or activities on behalf of or provides certain services to a covered entity that involves the use or disclosure of protected health information (PHI).

Can Paubox assist with HIPAA compliance? 

Yes, Paubox can assist covered entities and their business associates with HIPAA compliance efforts by providing HIPAA compliant email and text messaging encryption and security solutions.