Are You A Covered Entity
Updated August 2010 by David Jensen, JD, CAMFT Staff Attorney
Understanding which health care providers are and who are not covered entities is important because such entities must comply with HIPAA, a complex body of federal regulations. Health care providers who are covered entities must comply with all of HIPAA's and its component parts, which will necessitate expenditures of time and some money. But, if you are a health care provider who is not a covered entity, then you do not have to comply with HIPAA, unless you choose to do so.
To be a covered entity, a health care provider must transmit health information in electronic form in connection with certain administrative and financial transactions.2 Notice that the definition of a covered entity, with respect to providers, includes three sub-questions that must be answered before you can answer the ultimate question of whether you, as a health care provider, are a "covered entity." Those three sub-questions are: (1) are you a health care provider? (2) do you transmit information electronically? and, (3) do you conduct covered transactions?
For you to be a covered entity, you must answer yes to each of the questions listed above, or someone, such as a billing service, must conduct these transactions electronically on your behalf. If you only answer yes to one or two of them, or if you do not employ someone to conduct the covered transactions on your behalf, then you are not a covered entity and HIPAA does not apply to you.
Are You a Health Care Provider?
To determine if you are a covered entity, the first question you have to answer is: are you a health care provider? A "health care provider" is any person who furnishes, bills, or is paid for health care in the regular course of their business.2 Included within the definition of health care is rendering counseling for mental conditions.3 Consequently, marriage and family therapists, interns, and trainees are health care providers within the meaning of HIPAA.
Do You Transmit Information Electronically?
Assuming you are a health care provider, to determine if you are a covered entity the second question that you must answer is: do you transmit information electronically?
Transmitting information electronically means to use computer-based technology to transmit and store health information.4 For instance, using the Internet, an Extranet, leased lines, dial-up lines, private networks and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media come within the meaning of the definition.5
Since the majority of our members do not utilize Extranets, leased lines, dial-up lines, or private networks, the question here really is do you use the Internet to transmit information? If you do, you may be a covered entity, but you are not necessarily one. Keep in mind that to be a covered entity you must answer yes to all three questions.
Before we turn to the subject of covered transactions, however, perhaps you noticed that missing from the laundry list of items that constitutes electronic transmissions are facsimile transmissions. So, what about faxing information to other covered entities? Does doing so make you a covered entity? I am pleased to report that faxing information to other covered entities does not make someone a covered entity for HIPAA's purposes. The Centers for Medicare & Medicaid Services has informed CAMFT that the federal government does not consider the faxing of information to be an electronic communication for HIPAA's purposes.
Do You Conduct Covered Transactions?
Assuming that you are a health care provider and that you do communicate electronically with other covered entities in your practice, to determine if you are a covered entity the third question that you must answer is: do you conduct covered transactions?
A covered transaction for HIPAA's purposes involves transmitting information between covered entities to carry out certain financial or administrative activities related to health care.6 These activities are referred to both as covered transactions and standard transactions, and the terms are synonymous. The emphasis, however, is on certain administrative and financial transactions. It's not all administrative and financial transactions that we are concerned about, however. It's just the transactions that have been listed in the federal regulations. Currently, the list includes eight such transactions. Those transactions are:
- A request to obtain payment from a health plan for the rendering of health care to one of your patients, and any necessary accompanying information regarding the health care;7
- An inquiry regarding a patient's eligibility, coverage, or benefits under a health plan, or a response from a health plan to you about such issues;8
- A request that treatment or a referral be authorized, or a response to such a request;9
- An inquiry regarding the status of a health care claim made by you, or a response about the status of such a claim;10
- Transmission of subscriber (patient) information to a health plan to establish or terminate insurance coverage;11
- Transmission of the following information from a health plan to a health care provider's financial institution: payment, information about the transfer of funds, or payment processing information. Or, transmission of the following information from a health plan to a health care provider: explanation of benefits information or remittance advice;12
- Conducting health plan premium payment transactions (typically not done by health care providers); and,13
- Transmission of claim or payment information to a health plan for the purpose of determining the relative payment responsibilities of such plan for health care (coordination of benefits).14
What is important here for you to understand is that to be a covered entity you, as a health care provider, must be conducting one of these administrative or financial transactions electronically, i.e., via the Internet. Please note, however, that a couple of these transactions can be triggered not by what you do electronically, but by what a health plan does electronically. For instance, if you call a health plan to get treatment authorized and the health plan does not answer your question while you are on the telephone but then responds to your question via the Internet, you've just become a covered entity, even though you never intended to do so. You have become a covered entity because the health plan responded to your question electronically.
Moreover, if you don't personally conduct these administrative or financial transactions electronically, but you employ someone, such as a billing service, to do this work for you and they conduct the transactions electronically, you also become a covered entity, again not because of what you have done but because of what someone has done on your behalf.
Who Isn't a Covered Entity?
Up to this point we have looked at who is a covered entity, but now its time to take a different perspective and look at who is not a covered entity. Basically, if you do not accept any forms of insurance, i.e., meaning you accept only cash paying patients, or if you submit your insurance claims by mail or fax, or if you give the insurance forms to your patients so that they can mail or fax the forms to their carriers, you are not a "covered entity" and you do not have to comply with HIPAA, unless you choose to do so.
How Can I Avoid Being a Covered Entity?
The key to avoid becoming a covered entity is to realize what makes one a covered entity in the first place. If you hark back to the definition of a covered entity, you should know that it is a health care provider who conducts certain financial or administrative transactions electronically. Obviously, there is nothing that you can do about the fact that you are a provider of health care. What you can control, and what you must control if you do not want to become a covered entity, are the other two parts of the definition: the electronic communication part or the standard/covered transactions part.
If you want to avoid becoming a covered entity, you must never use your computer, which means most likely the Internet, to conduct one of the standard/covered transactions. This does not mean that you cannot use a computer in your practice; it only means that you cannot use your computer to conduct one of the standard/covered transactions. To avoid getting hooked by HIPAA, if you interact with health plans, you must use only your phone, the mail, or your fax machine. You must also keep in mind that hiring someone to do these things for you, such as a billing service, will also make you a covered entity if such person conducts one of the standard/covered transactions electronically on your behalf. Lastly, and I cannot stress this enough, do not allow health plans to communicate with you electronically. Insist that they use only the phone, the mail, or the fax machine to communicate with you.
1 45 C.F.R. 164.104
2 45 C.F.R. 160.103
3 45 C.F.R. 160.103
4 45 C.F.R. 160.103
5 45 C.F.R. 160.103
6 45 C.F.R. 160.103
7 5 C.F.R. 162.1101
8 45 C.F.R. 162.1201
9 45 C.F.R. 162.1301
10 45 C.F.R. 162.1401
11 45 C.F.R. 162.1501
12 45 C.F.R. 162.1601
13 45 C.F.R. 162.1701
14 45 C.F.R. 162.1801