HIPAA applies to covered entities and business associates.
There are three types of covered entities:
- Health plans, such as health insurance companies
- Healthcare clearinghouses, such as billing companies
- Healthcare providers, such as a doctors, hospitals, laboratories, and pharmacies
Covered entities need to access, use, and disclose PHI in order to perform their job duties. Therefore, they must be compliant with HIPAA.
A business associate is a separate entity that provides services to or on behalf of the covered entity. These services may require the access, use, and disclosure of PHI. A business associate agreement (BAA) must be in place between a covered entity and its business associates. It defines the processes that will involve PHI and limits the permissible uses and disclosures of PHI by those business associates. A business associate may use or disclose PHI only as permitted or required by the BAA or as required by law.