For Covered Entities and Business Associates
The HIPAA Rules apply to covered entities and business associates.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.
A Covered Entity is one of the following:
A Health Care Provider
A Health Plan
A Health Care Clearinghouse
This includes providers such as:
- Nursing Homes
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
| ||This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.|
|View an easy-to-use question and answer decision tool.|
Guidance Materials for Small Providers, Small Health Plans, and other Small Businesses
|View materials about the Privacy Rule for small providers, small health plans and other small businesses.|
Guidance Materials for Covered Entities
Summary of the Privacy Rule-This is a summary of the key elements of the Privacy Rule, including who is covered, what information is protected, and how covered entities can use and disclose protected health information.
Guidance on Significant Aspects of the Privacy Rule-A collection of documents explaining many provisions of the Privacy Rule including business associates, special topics such as disclosures for public health and research, and incidental uses and disclosures.
Summary of the Security Rule-This is a summary of the key elements of the Security Rule, including what administrative, physical, and technical safeguards covered entities must have in place to protect the security of electronic protected health information.
Guidance on How to Comply with the Security Rule-A collection of documents explaining how the Department expects covered entities to achieve substantial compliance with the Security Rule.
Guidance on HIPAA and Workplace Wellness Programs - This guidance explains the ways in which health information collected from or created about participants in a wellness program offered as part of a group health plan is protected by HIPAA.
Security Risks to Electronic Health Information from Peer-to-Peer File Sharing Applications-The Federal Trade Commission (FTC) has developed a guide to Peer-to-Peer (P2P) security issues for businesses that collect and store sensitive information.
Safeguarding Electronic Protected Health Information on Digital Copiers-The Federal Trade Commission (FTC) has tips on how to safeguard sensitive data stored on the hard drives of digital copiers.
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
|Workshop on the HIPAA Privacy Rule's De-Identification Standard - Washington, DC - March 8th & 9th, 2010|
|Fast Facts for Covered Entities-Answers to many common questions and misconceptions about patient consent, incidental disclosures, child abuse reporting, electronic media, and other disclosures.|
Provider Guide: Communicating With a Patient's Family, Friends, or Other Persons Identified by the Patient-This is a guide for health care providers to help them determine when they can disclose a patient's health information to the patient's family, friends, or other identified by the patient.
Guidance on Sharing Information Related to Mental Health- This guide addresses questions about when it is appropriate under the Privacy Rule for a health care provider to share information about a patient who is being treated for a mental health condition.
|Misleading Marketing Claims-This notice addresses marketing claims that suggest compliance programs may be endorsed by HHS. HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant.|
Designation of Regional Privacy Advisors-The HITECH Act requires the Secretary to designate an individual in each regional office of HHS to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules.
Sign Up for the OCR Privacy Listserv-OCR has established a listserv to inform the public about Privacy and Security Rule FAQs, guidance, and technical assistance materials as they are released.
Back to Top