About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
Understanding who is and who is not a covered entity, as well as how you can avoid becoming a covered entity, is important because such entities must comply with HIPAA.
by David G. Jensen, JD
Updated July, 2012 by David G. Jensen, JD,
CAMFT Staff Attorney
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is like a puzzle, albeit a very complex one. And, at the center of such puzzle is the piece labeled covered entities. All of the other pieces of the HIPAA puzzle revolve around the concept of covered entities. It is the piece-de-résistance, the touchstone, the linchpin, and the glue that holds the whole HIPAA thing together. This is because HIPAA, by law, only has jurisdiction over covered entities.1 It has no jurisdiction over anyone else. Consequently, it is important for you to understand who is and who is not a covered entity and how health care providers become or avoid becoming covered entities.
Understanding who is and who is not a covered entity, as well as how you can avoid becoming a covered entity, is important because such entities must comply with HIPAA, a complex body of federal regulations. Complying with HIPAA will necessitate expenditures of time and money. But, if you are not a covered entity, then you do not have to comply with HIPAA, unless you choose to do so. The purpose of this article is to apprise you of what covered entities are so that you can determine once and for all if you are such an entity. Moreover, if you are not a covered entity, and do not ever want to become one, this article will also point out things to avoid doing to prevent yourself from becoming such an entity in the future.
There are three types of covered entities: health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with certain administrative and financial transactions.2 Notice that the definition of a covered entity, with respect to providers, includes three sub-questions that must be answered before we can answer the ultimate question of whether you, as a health care provider, are a "covered entity." Those three sub-questions are: (1) are you a health care provider? (2) do you transmit information electronically? and, (3) do you conduct covered transactions?
For you to be a covered entity, you must answer yes to each of the questions listed above, or someone, such as a billing service, must conduct these transactions electronically on your behalf. If you only answer yes to one or two of them, or if you do not employ someone to conduct the covered transactions on your behalf, then you are not a covered entity and HIPAA does not apply to you.
Are You a Health Care Provider?
To determine if you are a covered entity, the first question you have to answer is: are you a health care provider? A "health care provider" is any person who furnishes, bills, or is paid for health care in the regular course of their business.3 Included within the definition of health care is rendering counseling for mental conditions. 4 Consequently, marriage and family therapists, interns and trainees are health care providers within the meaning of HIPAA.
Do You Transmit Information Electronically?
Assuming you are a health care provider, to determine if you are a covered entity the second question that you must answer is: do you transmit information electronically?
Transmitting information electronically means to use computer-based technology to transmit and store health information.5 For instance, using the Internet, an Extranet, leased lines, dial-up lines, private networks and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media come within the meaning of the definition.6 Since the majority of our members do not utilize Extranets, leased lines, dial-up lines, or private networks, the question here really is do you use the Internet to transmit information? Before you say "yes," be advised that it is not just any information that is transmitted that matters. It has to be "special" information that is transmitted. This "special" information is information used when conducting one of HIPAA’s covered transactions, which is a subject we will examine in the next section of this article.
Before we turn to the subject of covered transactions, however, you undoubtedly noticed that missing from the laundry list of items that constitutes electronic transmissions are facsimile transmissions. So, what about faxing information to other covered entities? Does doing so make you a covered entity? I am pleased to report that faxing information to other covered entities, from a stand-alone fax machine, does not make someone a covered entity for HIPAA’s purposes. However, if you fax information from your computer, such activity would bring you under HIPAA's jurisdiction. The Centers for Medicare & Medicaid Services has informed CAMFT that the federal government does not consider the faxing of information from a stand-alone fax machine to be an electronic communication for HIPAA’s purposes.
Do You Conduct Covered Transactions?
Assuming that you are a health care provider and that you do communicate electronically with other covered entities in your practice, to determine if you are a covered entity the third question that you must answer is: do you conduct covered transactions?
A covered transaction for HIPAA’s purposes involves transmitting information between covered entities to carry out certain financial or administrative activities related to health care.7 These activities are referred to both as covered transactions and standard transactions, and the terms are synonymous. The emphasis, however, is on certain administrative and financial transactions. It’s not all administrative and financial transactions that we are concerned about, however. It’s just the transactions that have been listed in the federal regulations. Currently, the list includes eight such transactions. Those transactions are:
What is important here for you to understand is that to be a covered entity you, as a health care provider, must be conducting one of these administrative or financial transactions electronically, i.e., via the Internet. For instance, you must request payment via the Internet, or you must inquire about a patient's eligability for coverage via the Internet. If you perform these tasks, or any of the other covered transactions, via the telephone or mail, they are not considered standard transactions under HIPAA. And, keep in mind the distinction between faxing from a stand-alone fax machine and faxing from your computer.
Moreover, if you don’t personally conduct these administrative or financial transactions electronically, but you employ someone, such as a billing service, to do this work for you and they conduct the transactions electronically, then you also become a covered entity, not because of what you have done but because of what someone has done on your behalf.
So, what does being a covered entity entail? The short answer is a lot. If you are a covered entity, then you must comply with HIPAA, which is an extremely complicated endeavor that we will continue to examine in upcoming issues of The Therapist.
Who Isn’t a Covered Entity?
Up to this point in this article we have looked at who is a covered entity, but now it is time to take a different perspective and look at who is not a covered entity. Basically, if you do not accept any forms of insurance, i.e., meaning you accept only cash paying patients, or if you submit your insurance claims by mail or fax, or if you give the insurance forms to your patients so that they can mail or fax the forms to their carriers, you are not a "covered entity" and you do not have to comply with HIPAA, unless you choose to do so.
How Can I Avoid Being a Covered Entity?
The key to avoid becoming a covered entity is to realize what makes one a covered entity in the first place. If you hark back to the definition of a covered entity, you should know that it is a health care provider who conducts certain financial or administrative transactions electronically. Obviously, there is nothing that you can do about the fact that you are a provider of health care. What you can control, and what you must control if you do not want to become a covered entity, are the other two parts of the definition: the electronic communication part or the standard/ covered transactions part.
If you want to avoid becoming a covered entity, then you must not use your computer, which means most likely the Internet, to conduct one of the standard/covered transactions. This does not mean that you cannot use a computer in your practice; it only means that you cannot use your computer to conduct one of the standard/covered transactions. To avoid getting hooked by HIPAA, if you interact with health plans, you must use only your phone, the mail, or your stand-alone fax machine. You must also keep in mind that hiring someone to do these things for you, such as a billing service, will also make you a covered entity if such person conducts one of the standard/covered transactions electronically on your behalf.
1Office of Civil Rights, "HIPAA Privacy," December 3, 2002
245 C.F.R. 164.104
345 C.F.R. 160.103
445 C.F.R. 160.103
545 C.F.R. 160.103
645 C.F.R. 160.103
745 C.F.R. 160.103
845 C.F.R. 162.1101
945 C.F.R. 162.1201
1045 C.F.R. 162.1301
1145 C.F.R. 162.1401
1245 C.F.R. 162.1501
1345 C.F.R. 162.1601
1445 C.F.R. 162.1701
1545 C.F.R. 162.1801