HIPAA applies to:
- Health plans (such as health insurance companies)
- Health care clearinghouses (such as billing companies)
- Health care providers (including doctors, hospitals, laboratories, and pharmacies)
HIPAA refers to these 3 groups as covered entities.
(January 2013 final rule modification) The standards, requirements, and implementation specifications of HIPAA also apply to business associates who may access protected health information (PHI).
A business associate:
- is not a member of the workforce of the covered entity.
- may provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity and provision of the service involves the disclosure of PHI from the covered entity to that person.
- may access PHI for claims processing or administration data analysis processing or administration utilization review, quality assurance, or patient safety activities listed at 42CFR3.20.