In this post, we’ll explain the difference between covered and non-covered entities, so you can get a clear understanding of where your business fits.
If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA.
Our ultimate guide to HIPAA regulations outlines everything you need to know about the federal law, including a breakdown of the different rules you’ll need to abide by.
However, when it comes to the Privacy Rule, you’ll only need to comply if you’re classed as a covered entity.
According to the Centers for Medicare and Medicaid Services, a covered entity includes health plans, clearinghouses, and certain health care providers.
That could look like:
Non-covered entities don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA.
Examples of non-covered entities include:
Be sure to check whether your business is covered or non-covered to make sure you’re fully compliant with all the legal requirements. There can be heavy financial penalties to pay if you’re found to be flouting the law.
Covered entities might need to use a business associate to help them process healthcare data.
A BAA is a Business Associate Agreement. To ensure the business associate is compliant, a BAA must be drawn up that outlines exactly what the business associate has been employed to do, and reiterates that they must comply with HIPAA.
A business associate could be a subcontractor like a transcriptionist, or a data transmission service provider. The Legal Information Institute at Cornell Law School outlines their full definition of a business associate, in 45 CFR § 160.103.
A covered entity could also be a business associate of another covered entity.
The Department of Health and Human Services, and the Center for Medicare and Medicaid Services have created a tool you can use, to help you understand whether you’re a covered or a non-covered entity.
You can check it out here.
Metomic is a data security software that helps security and compliance teams identify where sensitive data is stored in their SaaS apps, and understand who has access to it.
It can help you discover where PHI and PII are stored, and you can set custom rules to remediate or redact data when it’s shared in apps like Slack, Google Drive, or Jira.
Sheree Lim, Head of Product at Metomic, says:
“Healthcare organisations will hugely benefit from Metomic’s ability to accurately detect sensitive PHI so they can minimise the risk to their business. Real-time employee notifications can help security teams educate the wider workforce on their security policies too so they can start building a culture that really does care about security.”
To see how Metomic has helped consumer insights platform, Zappi, take a look at our case study with Hati, Head of Information Security and Data Compliance.