HIPAA Demystified, Part 2: Who Is A Covered Entity?
So, we've covered what HIPAA is in Part 1 of this series. Now let's talk about who it applies to- because, like all government programs, the language is just a tad bit confusing and the perils of not reading the fine print are high.
HIPAA calls the practitioners it applies to covered entities. I've seen a lot of confusion around the internet about who exactly is considered a covered entity, so here is the info straight from CMS:
"A covered entity is one of the following:
A Health Care Provider, which includes
but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard."
A Health Plan
Health insurance companies
Company health plans
Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
A Healthcare Clearinghouse" (not sure what that is? I explain it in my EHR post here).
Under that definition, we SLP's are considered healthcare providers.
So, how do we know if we transmit information in an electronic form per the definition? The CMS has a handy interactive flow chart here. If you don't want to click through, here are the questions:
Does the person, business, or agency, furnish, bill, or receive payment for healthcare in the normal course of business?
Does the person, business, or agency transmit (send) any transactions electronically?
The transactions are defined as:
"A request to obtain payment, and necessary accompanying information, from a health care provider to a health plan, for health care.
If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care." (emphasis mine)
Further definition of a health care transaction:
"An inquiry from a health care provider to a health plan or from one health plan to another health plan, to obtain any of the following information about a benefit plan for an enrollee:
Eligibility to receive health care under the health plan.
Coverage of health care under the health plan.
Benefits associated with the benefit plan.
A response from a health plan to a health care provider’s (or another health plan’s) inquiry described in paragraph A of this section."
My understanding of that definition is this- if you are ONLY billing private pay, NEVER contacting insurance about Out of Network benefits, and ONLY giving clients a hard copy of their invoice (not emailing it), then you are NOT a covered entity. If you accept insurance OR send superbills electronically, then you ARE a covered entity (a superbill being the "transmission of encounter information for the purpose of reporting health care".)
So, basically, if you accept insurance, you are a covered entity and must abide by HIPAA. if you only accept private pay, then you have to examine how you're billing and accepting payment, and make your decision that way.
If you ARE a covered entity, stay tuned for Part 3 of HIPAA Demystified: Lions and Tigers and BAA's, Oh My! Wondering what HIPAA even is? Check out HIPAA Demystified Part 1: What is HIPAA?