Talking with people in the medical community and adjacent industries, I often hear the question, are we covered by HIPAA? Technically what they are asking is are they a covered entity (CE). The U.S. Department of Health and Human Services (HHS) has seemingly made this clear with the following statement:
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Numbers 1 and 2 are pretty clear, however 3 is still vague. Luckily, as part of the clarification process for HIPAA compliance, they released the Final Privacy Rule, which among other things clarified this statement. In addition, HHS has added several links to help a businesses figure out this very question (Are you a covered entity?).
Below are a few examples of health care providers covered by HIPAA but please visit the HHS link for further clarification.
Not all businesses which handle medical data are covered, providers are only covered if they submit HIPAA transactions electronically. Examples of electronic transactions are:
Feel free to comment below with any questions.