A covered entity is a healthcare provider who transmits health information in electronic form. The term is most prominently used in the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
A covered entity can be an institution, such as a hospital, an organization, such as a research group, or an individual such as a physician. These covered entities are responsible for protecting inappropriate transmission of Protected Health Information (PHI) as specified in the Privacy Rule. The consequences for misuse or mishandling of PHI can be “civil monetary penalties, criminal monetary penalties, and/or imprisonment.”
There are two adjunct classifications of covered entities. The first is a hybrid entity, defined as a “single legal entity that is a covered entity, performs business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule”. Thus, a university that has a hospital as one of its component can declare itself a hybrid organization, making those employees who fall under the hospital umbrella Covered Entities and relieving the rest of the university from the restrictions of the Privacy Rule.
The second adjunct of a Covered Entity is a business associate who “performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules”. Business associates can also perform "legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services" for the covered entity. Covered entities are responsible for obtaining assurances from a business associate that PHI will be appropriately protected.
Submitted by Richard Altman