A HIPAA covered entity refers to a person, agency, or practice that provides treatment, payment, and operations in healthcare. Covered entities include:
- Health plans (such as health insurance companies)
- Health care clearinghouses (such as billing companies)
- Health care providers (including doctors, hospitals, laboratories, and pharmacies)
The standards, requirements, and implementation specifications of HIPAA also apply to business associates who may access protected health information (PHI).
A business associate:
- is not a member of the workforce of the covered entity.
- may provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity. Provision of the service involves the disclosure of PHI from the covered entity to that person.
- may access PHI for claims processing or administration data analysis processing or administration utilization review, quality assurance, or patient safety activities listed at 42CFR3.20.