Covered Entities: Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
Business Associate: A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Business associate functions and activities include: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management and practice management. Business associate services are: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial.
Texas HB300: The Texas HB300 definition of a covered entity includes health care providers as well as other entities and / or individuals who previously were classified as business associates and health care payers. Under this law, an entity is a covered entity and subject to the state’s privacy rules when it:
- Engages in whole or in part in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. This definition includes an Internet site, a business associate (BA), health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, or clinic of health care provider.
- Comes into possession of protected health information.
- Obtains or stores protected health information under this chapter.
- Is an employee, agent, or contractor of a person described above.
Under HB300, employees must be trained every two years and training must be tailored to the employee's specific responsibilities. New employees should be trained within 60 days after hire date