Covered Entity Definition

A Covered Entity is:

A health plan. An individual or group plan that provides, or pays the cost of, medical care. Health plans include private entities (e.g., health insurers and managed care organizations) and government organizations (e.g., Medicaid, Medicare, and the Veterans Health Administration)

A health care provider. A provider of health care services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. Health care providers (e.g., physicians, hospitals, and clinics) are covered entities if they transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by HHS. (e.g., billing)

A health care clearinghouse. A public or private entity, including a billing service, repricing company, or community health information system, that processes non-standard data or transactions received from another entity into standard transactions or data elements, or vice versa.



Dentist Revises Process to Safeguard Medical Alert PHI Covered Entity: Health Care Provider Issue: Safeguards, Minimum Necessary An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating ...read more



If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate.  Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules.  An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more



Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Covered Entity: Outpatient Facility Issue: Impermissible Uses and Disclosures An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board ...read more



May a covered entity dispose of protected health information in dumpsters accessible by the public? For example, depending on the circumstances, proper disposal methods may include (but are not limited to): Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.In justifiable cases, based on the size and the ...read more

July 2026
SuMoTuWeThFrSa
1234
567891011
12131415161718
19202122232425
262728293031

Blog Home

Newest Blog Entries
1/21/25 Understanding Business Associate Agreements

11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims

11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme

11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges

11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6

11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach

11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth

11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations

11/12/22 May a covered entity use or disclose protected health information for litigation?

11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

Blog Archives
January 2025 (1)
November 2022 (54)

Blog Labels
HIPAA (2)
BAA (4)
ePHI (2)
Covered Entity (40)
PPP Fraud (1)
HIPAA Enforcement (3)
EHR Fraud (1)
Data Breach (1)
Telehealth (1)