The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules only apply to those considered by the law as Covered Entities (CE). Does this mean that not every health care provider is a Covered Entity (CE)? The answer is not a straight yes or no because even though you may not consider yourself a CE, you are still subject to state privacy laws and national laws that govern the use and disclosure of patient’s Protected Health Information (PHI). This means that as a health care provider you are expected to ensure that every information you create, collect and maintain in your practice is secured. The use and disclosure of electronic Protected Health Information (ePHI) must be done in such a way that it protects the information against any form of risk.
According to the Health Insurance Portability and Accountability Act (HIPAA) a health care provider identified as a Covered Entity (CE) is any health care provider who transmits any health information in electronic form in connection with a transaction. The Human Health Service (HHS) has adopted a standard which identifies the categories of health care providers that fall under the Health Insurance Portability and Accountability Act (HIPAA) as CEs; these are, chiropractors, clinics, dentists, doctors, nursing homes, pharmacies and psychologists. Note that you may not render a health care service, but as long as your practice allows you to interface with patients either for supply of health care materials or equipment, you are a CE and is subject to the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy and Breach Notification Rules.
There is also another category of people consider by the HIPAA Rules as CEs, these persons are the health plans. A health plan is any individual or group plan that provides or pays the cost of health care. This may include company health plans, government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs, health insurance companies and health maintenance organizations (HMOs). Also as a CE are health care clearinghouses. These are public or private entities that are involved in processing another entity’s health care transactions from a standard format to a non-standard format, or vice versa. These include billing services, community health management information systems, repricing companies and value-added networks.