It’s easy to find a news story with someone misappropriating what HIPAA is, what it means, and what it does.  Most people incorrectly assume how it protects their health records and information from ‘the world at large’.  It does protect private health information, and it was created to allow for easy access to one’s health records, but privacy is nowhere to be found in the name.  And most of the confusion centers around who or what is accountable to the laws and regulations of the Health Insurance Portability and Accountability Act, otherwise known as HIPAA.

Perhaps adding to the confusion is the similar-sounding Hippocratic Oath, which sounds similar but is spelled differently and based on Greek father of medicine, Hippocrates.  Not HIPAAcrates, who as far as we know, is a nonexistent person.  That oath of ethics is taken by physicians when they swear to uphold ethical standards including patient-doctor confidentiality and non-maleficence which broadly translates to “first, do no harm”, or in other words it means that it is important not to harm your patient than it is to do them good.  This can prevent doctors from trying out a remedy without a full analysis of the situation.

But let’s get back to HIPAA. Your protected health information (PHI) is governed by rules and regulations under this law as it pertains to covered entities.  So then, what is a HIPAA entity? As defined, they are:

  1. Health plans
  2. Health care clearinghouses
  3. Health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards

Health Plans

This includes health insurance companies, HMOs or health maintenance organizations, employer-sponsored health plans, or government programs that pay for health care.  Examples of this are Medicare, Medicaid, and any military and veteran health programs.


This includes organizations that must conform to standards for data content or format (or vice versa) on behalf of other organizations because they process nonstandard health information.  These are the “middlemen” between healthcare providers and insurance payers.  They check for errors in medical claims.

Health Care Providers

They submit HIPAA transactions such as claims, electronically.  A few examples are doctors, psychologists, dentists, and chiropractors.  It also includes nursing homes and pharmacies.

Business Associates

Also known as BA’s, these are not covered entities (CE), but if they engage with a covered entity to carry out health care activities and functions, they must have a written business associate contract that establishes what they as a BA have been engaged to do and that they comply with HIPAA.

So, you see, HIPAA doesn’t protect you as a citizen from any inquiry into your healthcare information.  Otherwise, that activity tracker you are using couldn’t collect data, or the social media group that supports cancer survivors, and even the mail-order DNA test would be in violation of HIPAA for simply existing in the way that they currently do.

HIPAA can be confusing but understanding these basic principles of what it does can help to clear up some confusion. Not sure if you’re a HIPAA-covered entity or business associate? Looking to make sure you’re complying with HIPAA regulations? We can help! Contact us:

The post What Is a HIPAA Entity? appeared first on HIPAA Secure Now!.