The Department of Health and Human Services can only enforce HIPAA-related penalties against “covered entities” as they are defined by the regulations. The regulations define covered entities as healthcare providers, health plans and healthcare clearinghouses who engage in any number of electronic transactions. A healthcare provider under HIPAA is a person or company that furnishes, bills or is paid for health care. This definition is fairly broad and encompasses not only hospitals and physicians, but also includes chiropractors, dentists, optometrists, hospitals, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, the true scope of parties that are affected by HIPAA does not end there.
A number of employers have also found that they are covered entities under HIPAA because of their activities running a group health plan for their employees. Typically, these employers are electing to be treated as “hybrid entities” to limit the effect of HIPAA’s restrictions to the specific section of their organization that runs the health plan. However, even as a hybrid entity, these employers must undergo all of the typical HIPAA preparation activities, and this can be an expensive proposition.
Finally, there are many companies or individuals that provide services to covered entities that require the use of protected health information. These companies or individuals are called business associates. While they are not liable for penalties under HIPAA, they will find that many business contracts will have to be renegotiated and business practices changed to reflect the privacy requirements.