4.1 HIPAA Overview & Covered Entities
Key Takeaways
- HIPAA Title II Administrative Simplification created the Privacy, Security, Transactions, and Breach Notification Rules that govern protected health information.
- The three Covered Entity types are health plans, healthcare clearinghouses, and healthcare providers who transmit any HIPAA transaction electronically.
- A Business Associate is any outside person or organization that creates, receives, maintains, or transmits PHI to perform a function on behalf of a Covered Entity, and a written Business Associate Agreement is required before PHI is shared.
- Employers, life insurers, workers' compensation carriers, and schools are generally NOT Covered Entities even though they hold health information.
- A hybrid entity designates which parts of its operation are covered, and an organized healthcare arrangement lets clinically integrated providers share PHI for joint operations.
Why HIPAA Matters for Billers
Quick Answer: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards for protecting patient health information. Its Title II Administrative Simplification provisions produced the rules a biller works under every day: the Privacy Rule, the Security Rule, the Transactions and Code Sets standards, the Unique Identifier standards, and the Breach Notification Rule.
Medical billers handle protected health information (PHI) on every claim. You see diagnoses, procedures, dates of service, insurance identifiers, and payment data. HIPAA defines who is allowed to touch that data and under what conditions. About 15% of the CPB exam covers compliance, and HIPAA is the largest part of that domain.
The Three Covered Entity Types
A Covered Entity (CE) is an organization HIPAA regulates directly. There are exactly three categories:
| Covered Entity | Definition | Billing-World Example |
|---|---|---|
| Health plan | An individual or group plan that pays the cost of medical care | Aetna, a state Medicaid agency, an employer self-insured plan |
| Healthcare clearinghouse | An entity that translates health data between standard and nonstandard formats | A billing clearinghouse that reformats claims for payers |
| Healthcare provider | A provider who transmits health information electronically in a HIPAA standard transaction | A physician practice that submits 837P claims |
A key trap: a provider becomes a Covered Entity only if it transmits a HIPAA standard transaction electronically (a claim, eligibility request, or remittance). A cash-only provider who never bills electronically may technically fall outside HIPAA, but this is rare in practice.
Business Associates and the BAA
A Business Associate (BA) is a person or organization, outside the Covered Entity's workforce, that creates, receives, maintains, or transmits PHI to perform a function or service for the Covered Entity. Common billing-industry BAs include third-party billing companies, clearinghouses acting for a provider, collection agencies, EHR vendors, and IT contractors with PHI access.
Before any PHI is shared, the CE and BA must sign a Business Associate Agreement (BAA) — a written contract that requires the BA to safeguard PHI, limit its use to the contracted purpose, report breaches, and ensure subcontractors agree to the same terms. A BA cannot legally receive PHI without a signed BAA in place.
Hybrid Entities and OHCAs
A hybrid entity is a single legal organization with both covered and non-covered functions. It formally designates its healthcare components, and only those components must follow HIPAA. A university that runs a teaching hospital may designate the hospital as covered while the rest of the campus is not.
An organized healthcare arrangement (OHCA) lets clinically integrated providers — for example, the physicians and the hospital where they practice — share PHI and issue a joint Notice of Privacy Practices for shared treatment, payment, and operations.
What Is NOT a Covered Entity
Many organizations hold health data yet fall outside HIPAA:
- Employers — even though they keep employee health records
- Life insurers and many disability insurers
- Workers' compensation carriers
- Schools and most education records (governed by FERPA instead)
- Most mobile health apps and fitness trackers sold directly to consumers
These entities are not regulated by HIPAA unless they also function as a health plan, provider, clearinghouse, or BA.
A physician practice contracts with an outside company to submit its claims, post payments, and follow up on denials. The billing company will access patient records to do this work. How is the billing company classified under HIPAA?
An employer maintains health records on its employees as part of an on-site wellness program. Which statement is correct?