HIPAA Covered Entity

Am I a HIPAA Covered Entity?


September 1, 2017 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

HIPAA covered entities have strict regulatory requirements outlined in by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA covered entities are clearly defined in the regulation as any health plan, health care clearinghouse, or health care provider who transmits any protected health information (PHI). PHI is any demographic information collected by a covered entity that can be used to identify a patient. That includes names, addresses, dates of birth, social security numbers, and medical information, to name a few examples.

That means that all health care providers, including behavioral health specialists, necessarily fall under HIPAA regulation as a covered entity.

But what does that mean for your practice? Below, we discuss the regulatory requirements that all HIPAA covered entities are mandated to address in order to keep PHI private and secure.

HIPAA Compliance for Covered Entities

A HIPAA covered entity must address all of the regulatory standards set out in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

An effective HIPAA compliance program must address:

  • Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
  • Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse any potential HIPAA violations.
  • Policies, Procedures, Employee Training – To avoid HIPAA violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is also required.
  • Documentation – Your practice must document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
  • Business Associate Management – You must document all vendors with whom you share PHI, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
  • Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.
Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

HIPAA Compliant Social Media for Professionals

Tips and tricks for using social media to grow your practice without violating legal requirements.

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Barbara Griswold, LMFT
Barbara Griswold, LMFT
6 years ago

Question: I had been told by lawyers at the California Assn of Marriage and Family Therapy that you were only a HIPAA covered entity if you transmitted PHI via the internet, since HIPAA really addresses internet transactions. Therefore, he said, providers who transmitted all info to health plans via fax, phone, and snail mail were not HIPAA covered entities. Your article seems to suggest that all therapists are HIPAA covered entities.

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
5 years ago

HIPAA covers all electronic transmissions. Please see the http://hhs.gov website for details: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html If you conduct a few other searches on that site, you’ll see many key facts related to HIPAA and how to comply.

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...