We're sorry, but OSHAcademy doesn't work properly without JavaScript enabled. Please turn on JavaScript or install a browser that supports Javascript.

625 HIPAA Privacy Training
Skip to main content

625 HIPAA Privacy Training

Healthcare Provider Responsibilities

Covered Entities

As we mentioned in the course introduction, covered entities can be institutions, organizations, or persons. Covered entities include the following:

  • Health Plans - including health insurance companies, HMOs, company health plans, and government programs that pay for health care, such as Medicare and Medicaid.
Consequences of a HIPAA Violation
  • Healthcare Providers: This encompasses doctors, clinics, pharmacies, nursing homes, and dentists. Note: Most healthcare providers, including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists, transmit information in an electronic form in connection with a transaction for which HHS has adopted a standard.
  • Health Care Clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard electronic format or data content, or vice versa.

Business Associates

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.

For more information on covered entities and business associates, see the HHS Covered Entities and Business Associates.

Non-covered Entities

Non-covered entities are not subject to HIPAA regulations. However, the American Medical Association (AMA) now requires non-HIPAA-covered entities to protect the sensitive Patient Health Information (PHI) they collect. This law mandates that these entities must ensure that the products or services they use do not compromise patient privacy. Examples of non-covered entities include:

  • A public health authority (states.aarp.org)
  • Personal Health Record (PHR) vendors
  • Personal record storage such as exercise and calories intake log
  • Providers who don’t have any records in electronic forms, such as some counselors

To determine your covered-entity status, visit the Centers Medicare and Medicaid Services (cms.gov)

Knowledge Check Choose the best answer for the question.

3-1. Which category of covered entities must comply with HIPAA regulations?

Previous Module
Next Section