4.1 HIPAA Overview & Covered Entities
Key Takeaways
- HIPAA Title II Administrative Simplification created the Privacy, Security, Transactions and Code Sets, Unique Identifier, and Breach Notification Rules that govern protected health information.
- The three Covered Entity types are health plans, healthcare clearinghouses, and healthcare providers who transmit any HIPAA standard transaction electronically.
- A Business Associate is any outside person or organization that creates, receives, maintains, or transmits PHI to perform a function for a Covered Entity, and a written Business Associate Agreement is required before PHI is shared.
- Employers, life insurers, workers' compensation carriers, and schools are generally NOT Covered Entities even though they hold health information.
- A hybrid entity designates which components are covered, and an organized healthcare arrangement lets clinically integrated providers share PHI and issue a joint Notice of Privacy Practices.
Why HIPAA Matters for Billers
Quick Answer: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards for protecting patient health information. Its Title II Administrative Simplification provisions produced the rules a biller works under every day: the Privacy Rule, the Security Rule, the Transactions and Code Sets standards, the Unique Identifier standards, and the Breach Notification Rule.
Medical billers handle protected health information (PHI) on every claim. You see diagnoses, procedures, dates of service, insurance identifiers, and payment data. HIPAA defines who may touch that data and under what conditions. Compliance, regulatory, and HIPAA content runs throughout the CPB exam's case scenarios, so you must be able to classify organizations on sight. The current AAPC Certified Professional Biller (CPB) exam is 135 questions over 4 hours, scored pass/fail at 70%, and many items are scenario-based — meaning HIPAA is tested as 'who can do what,' not as recall of statute text.
The Three Covered Entity Types
A Covered Entity (CE) is an organization HIPAA regulates directly. There are exactly three categories, and the exam loves to ask you to identify which one applies:
| Covered Entity | Definition | Billing-World Example |
|---|---|---|
| Health plan | An individual or group plan that pays the cost of medical care | Aetna, a state Medicaid agency, an employer's self-insured group health plan |
| Healthcare clearinghouse | An entity that translates health data between standard and nonstandard formats | A clearinghouse that reformats and scrubs claims before sending them to payers |
| Healthcare provider | A provider who transmits health information electronically in a HIPAA standard transaction | A physician practice that submits 837P electronic claims |
The classic trap: a provider becomes a Covered Entity only if it transmits a HIPAA standard transaction electronically — a claim (837), eligibility request (270/271), claim status (276/277), or remittance (835). A pure cash-only provider who never bills any payer electronically may technically fall outside HIPAA, but in modern practice this is rare, and most providers are covered the moment they file one electronic claim.
Business Associates and the BAA
A Business Associate (BA) is a person or organization, outside the Covered Entity's workforce, that creates, receives, maintains, or transmits PHI to perform a function or service for the Covered Entity. In the billing world the most common BAs are:
- Third-party billing companies and revenue cycle management firms
- Clearinghouses acting on a provider's behalf
- Collection agencies pursuing patient balances
- Electronic health record (EHR) and practice management software vendors
- IT contractors, shredding services, and cloud-storage providers with PHI access
Before any PHI is shared, the CE and BA must sign a Business Associate Agreement (BAA) — a written contract requiring the BA to safeguard PHI, limit its use to the contracted purpose, report breaches to the CE, return or destroy PHI at contract end, and bind its subcontractors to the same terms. A BA cannot legally receive PHI without a signed BAA in place. A vendor who only ships boxes (a courier) or who has no PHI access (a janitorial service) is typically NOT a BA — incidental, transient exposure does not by itself create the relationship.
Hybrid Entities and OHCAs
A hybrid entity is a single legal organization with both covered and non-covered functions. It formally designates its healthcare components, and only those components must follow HIPAA. A university that runs a teaching hospital may designate the hospital as the covered component while the rest of the campus is not.
An organized healthcare arrangement (OHCA) lets clinically integrated providers — for example, the attending physicians and the hospital where they practice — share PHI and issue a single joint Notice of Privacy Practices for treatment, payment, and operations they perform together.
What Is NOT a Covered Entity
Many organizations hold health data yet fall outside HIPAA. Memorize this list, because the exam reliably tests at least one:
- Employers — even when they keep employee health records or run a wellness program
- Life insurers and many disability insurers
- Workers' compensation carriers (claims handled under state WC law instead)
- Schools and most education records (governed by FERPA, not HIPAA)
- Most consumer mobile health apps and fitness trackers sold directly to individuals
These entities are not regulated by HIPAA unless they also function as a health plan, provider, clearinghouse, or Business Associate. The single distinguishing question is always function, not size or industry.
Working the Classification on the Exam
When a CPB scenario hands you an organization, decide its status with three quick questions in order. First, is it one of the three Covered Entity types — a health plan, a clearinghouse, or a provider that bills electronically? If yes, it is a Covered Entity and is directly regulated. Second, if it is not a CE, does it create, receive, maintain, or transmit PHI to perform work for a CE? If yes, it is a Business Associate and needs a signed BAA. Third, if neither, it is simply not regulated by HIPAA — no matter how much health data it touches.
Watch the wording carefully. A 'self-insured employer plan' is a health plan (covered), but the employer in its role as employer is not. A software vendor that merely hosts ePHI is a BA even if no human ever reads the data. A courier delivering sealed records is generally not a BA because access is incidental and transient. Treating that incidental-access exception correctly separates a passing answer from a trap distractor.
A physician practice contracts with an outside company to submit its claims, post payments, and follow up on denials. The billing company will access patient records to do this work. How is the billing company classified under HIPAA?
An employer maintains health records on its employees as part of an on-site wellness program. Which statement is correct?