Am I a HIPAA Covered Entity?

HIPAA covered entity

HIPAA covered entities have strict regulatory requirements outlined in by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA covered entities are clearly defined in the regulation as any health plan, health care clearinghouse, or health care provider who transmits any protected health information (PHI). PHI is any demographic information collected by a covered entity that can be used to identify a patient. That includes names, addresses, dates of birth, social security numbers, and medical information, to name a few examples.

To determine if you are a covered entity, use this simple guidance offered by the Centers for Medicare and Medicaid Services (CMS).

But what does that mean for your practice? Below, we discuss the regulatory requirements that all HIPAA covered entities are mandated to address in order to keep PHI private and secure.

HIPAA Compliance for Covered Entities

A HIPAA covered entity must address all of the regulatory standards set out in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

An effective HIPAA compliance program must address:

  • Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
  • Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse any potential HIPAA violations.
  • Policies, Procedures, Employee Training – To avoid HIPAA violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is also required.
  • Documentation – Your practice must document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
  • Business Associate Management – You must document all vendors with whom you share PHI, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
  • Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.

HIPAA Resources

Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.

Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.

With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.

Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.



Rate this post!

(5 raters, 22 scores, average: 4.40 out of 5)

2 comments on “Am I a HIPAA Covered Entity?

  1. Question: I had been told by lawyers at the California Assn of Marriage and Family Therapy that you were only a HIPAA covered entity if you transmitted PHI via the internet, since HIPAA really addresses internet transactions. Therefore, he said, providers who transmitted all info to health plans via fax, phone, and snail mail were not HIPAA covered entities. Your article seems to suggest that all therapists are HIPAA covered entities. Please respond.

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.