Covered Entity Status

I am an acupuncture physician in Florida. I rent space from a Chiropractor to treat some of my patients, they come by appointment. I keep all records at home and there is not electronic billing or data transfer of any kind. The practice is closed to the public at the time I practice. Do I have to comply with HIPAA?
Noted below is a link provided by CMS that will help you determine if you are a covered entity. http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D1

My suspicions are that you are not a covered entity and therefore do not need to comply with HIPAA. However, since you are renting space from a Chiropractor whom I am assuming is a covered entity, you should have a Business Associate contract with this office practice to ensure that those records (the Chiropractor's) are being protected under HIPAA. This will protect the Chiropractor and his/her records. (Posted 2/10/04)

I work in a dental office that does not have a computer and does all claims and info by hand. The front office person tells me she does not have to have patients sign disclosures because there is no online transactions. She claims all she has to do is post the Privacy Act. I am concerned that isn't enough.
CMS has developed a simple test for you to determine your covered entity status. Please use the following link: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D1
If after you complete the test and discover that you are not a covered entity, you are not required to follow the HIPAA regulations. However, you may be considered a Business associate in some instances by Covered Entitles that you are receiving PHI from and then you will be asked to sign Business Associate agreements. In these instances you will need to protect that PHI according to HIPAA. In any case it is a good business and ethical decision to protect health information and therefore you should make reasonable efforts to protect this information.  (Posted 2/10/04)

I am just starting a new counseling practice. I will be doing my own record keeping and I have no other employees. I am not a licensed counselor yet, so I can not bill insurances. My practice will be cash only basis until I am licensed. I am in the process of registering as an intern working toward licensure, so I am under the supervision of a licensed counselor. How does HIPAA apply to me? Where can I get a HIPAA handbook?
CMS has developed a simple test for you to determine your covered entity status. Please use the following link: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D1
From what I am understanding you yourself as a business does not appear to be a covered entity. However, since you are working with a covered entity (CE) with protected health information you may be considered an employee of that CE even though money is not exchanged and therefore must follow that CE's policies and procedures concerning HIPAA. If the CE does not wish to claim you as an employee, you must be considered a Business Associate of that CE if they are supplying you with PHI and once again must follow the HIPAA guidelines in regards to that PHI. You may go directly to the DHHS website to secure the Privacy and Security regulations or you can purchase booklets on HIPAA from any number of resources. Our website http://www.hipaacomply.com offers a booklet for a nominal charge for Physician Office Practices and Physicians. (Posted 2/10/04)

I am the captain of a volunteer ambulance service. We do not bill, so do we still need to be in compliance with HIPAA?
I agree with you that your first step is to determine your covered entity status. I am attaching a link http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D1 which will take you through a series of questions helping you to determine your status. If you complete the process and determine that you are not a covered entity, you may be a business associate of the covered entities which you are doing business with in the realm of protected health information. It appears that whether or not you are considered a covered entity, your organization is maintaining health information and therefore this information needs protected. Once you have determined your status you can find the privacy and security regulations at the following link http://www.hhs.gov/ocr/hipaa/  (Posted 2/10/04)

I work for a Financial Institution that currently processes payments for a medical office through a lockbox service. We do not receive any medical records or charts but do receive co-payments from patients and insurance payments for services provided. What steps must our institution take in order to ensure that we as well as our customer, the medical office, is in compliance with HIPAA?
The Medical Office is considered a HIPAA covered entity if they answer yes to the questions found on the CMS link http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D1
If they are a provider they must follow the HIPAA regulations.
Your organization must also determine if you are acting as a health care clearinghouse by taking the following test found in this link http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D2
If you determine that you are a covered entity, you must follow the HIPAA regulations.
If you are not a covered entity you may very well be considered a business associate of the medical office and in the capacity you are working with that organization you must follow guidelines for protecting that PHI which you are given by the covered entity. (Posted 2/10/04)

I am looking for information on where I can find a detailed website concerning a list or clear definitions of "business associates" that fall under necessary HIPAA compliance.
While I cannot supply you with a detailed list of business associates as this is determined on an individual scale, I can suggest that you visit The Department of Health and Human Services (DHHS) and the frequently asked question section. I am including the link to the FAQ regarding Business Associates for you to peruse http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php?p_sid=QM17UE-g&p_lva=&p_li=&p_page=1&p_cat_lvl1=7&p_cat_lvl2=17&p_search_text=&p_new_search=1
This list of question will surely enlighten you in this matter. (Posted 2/10/04)

I own 2 licensed personal care homes in Pennsylvania. We provide room and board and assistance with the ADL's. We do not perform any medical procedures that we bill for. All medical personnel that perform a service for our residents bill either the resident directly, or the insurance company. Since we do no insurance or medicare billing do we have to be HIPAA compliant? If so, to what degree? Where can I get the info that we need if we have to be compliant?
I am attaching a link which will take you through a series of questions helping you to determine your status. (http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/xmldecision.asp?decision=D1) If you complete the process and determine that you are not a covered entity, you may be a business associate of the covered entities which you are doing business with in the realm of protected health information. It appears that whether or not you are considered a covered entity, your organization is maintaining health information and therefore this information needs protected. Once you have determined your status you can find the privacy and security regulations at the following link http://www.hhs.gov/ocr/hipaa/. (Posted 12/2/03)

We do mail-outs of Data Sheets to the physician who treats our patients. Please verify that the company that performs this function (stuffing envelopes and mail-outs) is or is not considered to be a Business Associate?
In order to answer your question I pulled the following response from DHHS's website which I believe answers your question very definitively. If a service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on the covered entity’s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate contract with the service. (Posted 12/2/03)

Is a volunteer fire company a "covered entity" under HIPAA?

To best answer this question without having all the facts I refer you to the following simple test for determining whether or not you qualify as a provider and therefore must follow the HIPAA guidelines:

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations (Posted 10/15/03)

We are a non-profit agency that assists parents in locating services for their children who have mental health disorders. I was told that since we contract with the State Department of Mental Health which IS required to be compliant that we must be compliant as well. We do absolutely no billing to our clientele at all. All of our functions are funded through federal and state grant moneys. However, we do have private information about our clients, such as diagnoses, dates of birth, names, addresses, etc. Do we need to be HIPAA compliant?
Since you have been told that you must be compliant as you contract with the State Department of Mental Health, I am assuming that you have either signed a business associate agreement or are considered an affiliated entity and therefore must comply in that capacity. According to your signature information, it appears you are a department within the Department of Mental Health and therefore I am assuming you are working under an affiliated or Organized Health Care Arrangement (OHCRA) status. A covered entity analysis would better define your status.

Because you maintain highly sensitive health information it not only makes good business sense to follow the HIPAA guidelines but also certainly an ethical approach for protecting the privacy of your clients and their information. Therefore, in any case either as a covered entity or an associate you should follow all of the HIPAA Privacy Regulations. (Posted 10/15/03)

I have a question regarding the forms a patient should fill out. I have recently started a very small therapy practice which provides speech and occupational therapy in the child's home. I am trying to get information on what I need my patients to sign and if there are standard forms out there.
One of the first things you may want to do is to first determine if you are considered a covered entity and therefore must comply with the HIPAA regulations

Here is a simple test to see if a person, business, or agency is a covered health care provider.

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations

Once you have determined that you are a covered entity, you will need to adopt a Notice of Privacy Practices which details your policies and procedures in regards to patient rights and use and disclosure of protected health information (PHI). The HIPAA regulations are very specific on what must be included in the NPP. The first form, I believe you are referencing is that HIPAA states these covered entities must make a good faith effort to obtain a written acknowledgment of receipt of the NPP. You will need to keep this record on file. You will also need authorization forms for use and disclosure that is not covered by the treatment, payment or health care operation provision of HIPAA. I suggest that if you are a covered entity and have not started your HIPAA compliance program, you gain a copy of the Standards for Privacy of Individually Identifiable Health Information through the Department of Health and Human Services' website. (Posted 10/15/03)

I am an RN practicing as a School Nurse in Missouri. I am finding school nurses are a unique entity when it comes to HIPAA. It is my understanding that school health records are considered educational records and are therefore subject to FERPA regulations and not HIPAA regulations. As an RN, I still feel I need to follow HIPAA regulations also. Can you provide clarification on this?
It sounds as if your school system has made the determination that you are considered FERPA and HIPAA exempt. However, if within the scope of your services you are performing work outside of treatment for a covered entity and use or disclosure of PHI is necessary as a condition of this work, you may be considered a Business Associate of that entity. If this is the case you or your school will be asked to sign a Business Associate agreement and then you should be aware of the HIPAA Privacy Rule. (Posted 9/8/03)

How does the HIPAA rules and regulations affect patients treated in a first aide station in a religious environment?
If I am correctly understanding the circumstances, it does not seem that the first aid station is operating as a covered entity. To be a covered entity the following must apply:

Here is a simple test to see if a person, business, or agency is a covered health care provider.

• Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?

• If the answer is yes, does the person, business, or agency conduct covered transactions?

• If yes, are any of the covered transactions transmitted in electronic form?

• If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations

If after applying the test you are assured that the first aid station is not a covered entity, you can then conclude that HIPAA does not apply in this situation. (Posted 7/10/03)

As a massage therapist in the state of Indiana, does HIPAA apply to my practice? If so how does it fit and where do I go to get information to meet the requirements. Indiana does not license or regulate massage therapist. I do not work in a doctor's office, but sometimes Docs will refer a person for services.
In determining status as a covered entity, in regards to providers, it is extremely important to determine if you electronically bill for services provided. From what I understand, this is not the case. Here is a simple test to see if a person, business, or agency is a covered health care provider.

• Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?

• If the answer is yes, does the person, business, or agency conduct covered transactions?

• If yes, are any of the covered transactions transmitted in electronic form?

• If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations.

From the information, you have provided it does not sound as if you are a covered entity and therefore HIPAA does not apply. Although, you may be asked to sign business associate agreements with entities that fall under the HIPAA regulations such as the physician office practices you are working with and if so you must agree to treat the protected health information in the same manner as the covered entity. (Posted 7/10/03)

We are a residential school for juvenile adjudicated/CHINA and shelter students in Iowa. We do not electronically bill for services. We are a private school not state run, however, we do paper bill each placing county for services. We are not a Medicaid provider nor do we have a "Medicaid provider number".  We do have nursing staff (LPN"s/RN's) on campus to provide medication passes, assessments, etc. We do have a separate level 1 Chemical Dependency program on site to provide services to our students. Do we have to comply with HIPAA Guidelines?
In determining status as a covered entity in regards to providers, your first statement is extremely important. That is that you do not electronically bill. Here is a simple test to see if a person, business, or agency is a covered health care provider.

• Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?

• If the answer is yes, does the person, business, or agency conduct covered transactions?

• If yes, are any of the covered transactions transmitted in electronic form?

• If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations.

From the information, you have provided it does not sound as if you are a covered entity and therefore HIPAA does not apply. Although, you may be asked to sign business associate agreements with entities that fall under the HIPAA regulations and if so you must agree to treat the protected health information in the same manner as the covered entity. (Posted 7/10/03)

I own a small wellness center that provides therapeutic massage and related services to our clients. We employ a user pay system and do not accept any insurance, yet recently a fellow bodyworker told us we were required to be HIPAA compliant. We do occasionally receive referrals from traditional healthcare providers, but again, our clients pay as they go. We did not believe we met the criteria, but are unsure.
While generally speaking, you don’t do any insurance billing, the question remains, is there any electronic claim and/or protected health information stored on any media in your practice? When a referral is received, is there any communication with the “traditional” healthcare providers? Is there any chance of disclosure of a patient’s protected health information? If the answer to these questions is “no”, then you probably are not required to be HIPAA compliant.

The best way for you to approach this is to simply do all that you can to protect the patient’s confidential information. Please remember, this is not a legal opinion. In order to give you a comprehensive answer, we would need to know much more about your practice. Please refer to your legal counsel for a definitive answer. (Posted 6/12/03)

Can an employee obtain copies of his workers compensation medical records?
Workers compensation is not a covered entity and therefore does not fall under the HIPAA guidelines. Any claims submitted to worker’s compensation are the property of worker’s compensation. You may be able to question this agency on what information they may share with you. Your medical records housed in the hospital or doctor’s office may be accessed by following the guidelines the provider describes in their Notice of Privacy Practices. (Posted 6/5/03)

I am a self-employed speech therapist serving preschool and elementary aged students at a private school. I do not bill insurance, all payments are cash. Parents have the option of filing with their insurance company if they have coverage (none do that I know of). I keep a record of progress in the form of SOAP notes and do have a copy of their new client case history in their file. My question is regarding whether I must comply with HIPAA regulations in this scope of practice and, if I do, what is required? My personal physician's office handed me a 10-page form that outlines HIPAA and I was asked to sign it. Do I need to do something similar? If so, where do I get the information for such a form?
From what you are telling me, because you do not bill electronically, HIPAA does not consider you a covered entity. Here is a simple test to see if a person, business, or agency is a covered health care provider.

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations

You may be a business associate of entities you work with and in that case, you will probably be asked to sign a business associate contract. In those instances you must protect that health information as a covered entity would under HIPAA guidelines. (Posted 6/5/03)

I am the EMS Coordinator for a municipal fire department. We are a non-transporting advanced life support provider. We do not bill for our services. We do maintain patient records as per state EMS guidelines. As far as health plans, the city has a group insurance plan available to each employee, and we have well over 50 employees city-wide, but only 24 within the fire department. Do we need to comply with the HIPAA regulations?
From your brief description of the fire department, it does not sound as if you are a healthcare provider filing electronic claims and therefore do not fall under the HIPAA regulations. I am a little confused by your health plan status and therefore will submit this test for you to determine if you fall under the entity status of a health plan.

Here is a simple test to see if a Health Plan is a covered entity and required to bill with the electronic standards.

  • Is the plan an individual or group plan or combination thereof that provides or pays for the cost of medical care? –no Stop, it is NOT a health plan
  • If yes, is the plan a group health plan – if yes does the plan have both of the following characteristics (a) it has fewer than 50 participants and (b) it is self-administered – if yes, Stop the plan is NOT a health plan, if no, the plan is a health plan.
  • Is the plan a health insurance issuer – if yes, the plan is a health plan
  • Is the plan an issuer of a Medicare supplemental policy – if yes, the plan is a health plan
  • Is the plan an HMO – if yes, the plan is a health plan
  • Is the plan a multi-employer welfare benefit plan - if yes, the plan is a health plan
  • Is the plan an issuer of long-term care policies – if yes, does the plan provide only nursing home fixed indemnity policies – if yes the plan is NOT a health plan – if no, the plan is a health plan
  • Does the plan provide only excepted benefits – if yes, the plan is NOT a health plan – if no the plan is a health plan

After applying this test and the answer you derive at is that, the plan is a health plan then you should know that this constitutes a covered entity under HIPAA regulations and therefore the standards apply.

While the privacy rule does not directly regulate employers, it does apply to group health plans that are sponsored by many employers. It sounds as if you are acting as a plan sponsor to a contracted health plan. Under the rule, a group health plan may disclose protected health information (PHI) to its plan sponsor only for limited purposes and only after the plan sponsor has complied with the rule’s requirements for disclosure. Therefore, if you are collecting or receiving PHI you must comply with HIPAA guidelines. The reason for this barrier is to prevent employers from using their employees’ PHI to make employment related decisions or breaching individuals’ health care privacy.

To determine the impact HIPAA has on your organization, you must examine the type of health information, you as the plan sponsor receive, the purposes for which, you as the plan sponsor receive this information, and the extent, if any, you as the plan sponsor performs administrative functions on behalf of the group health plan.

If you only receive summary health information, which is a subset of the PHI such as summarized claims history and expenses and identifiers of individual patients/employees PHI is removed, then you will be minimally impacted by HIPAA. You must agree to receive this information in the deidentified state and use the information only for obtaining premium bids for providing health insurance coverage to the group health plan or use it for modifying, amending or terminating the group health plan.

On the other hand if you receive more detailed PHI, you will need to certify that you have complied with the new HIPAA regulations. Therefore depending upon your status as a plan sponsor HIPAA can mean different levels of involvement on your part. (Posted 5/29/03)

I work for a CPA firm that also does computer consulting. We are sending out Business Associate Agreement letters to our health care clients to be HIPAA compliant. One of our clients said she heard that if there were less than 10 employees in the office that she didn't have to "be HIPAA compliant". I informed her that I thought this was incorrect, but I would like to verify. My understanding is that if it is a healthcare provider with even 1 employee, that they would have to be HIPAA compliant; especially if there are electronic transactions. Is this correct???
You are right. HIPAA does not distinguish against size of the facility or number of employees. The guiding principle is whether or not a health care provider bills electronically.

Here is a simple test to see if a person, business, or agency is a covered health care provider.

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations. (Posted 5/29/03)

I am the executive director of a community based AIDS service organization. We provide case management, housing, mental health counseling, education, HIV and STD counseling and testing and needle exchange programming. We do not bill for any of our services. We receive funding from federal, state and local grants as well as from private fundraising. We are the fiduciary for federal and state funds that we pass through or subcontract to the local VNA and Hospital to cover salaries and related costs. Are we a covered entity and what do we need to do to document our status and clarify whether or not the regulations apply to our agency? Should we retain an attorney and, if so, what specialization should we seek?
Since it appears that, you have multiple functions and without knowing all of the facts, I am going to supply you with four tests. You may apply these tests to your organization to determine if you are considered a health care provider, health care clearing house, or health plan and a special test to determine if a government-funded program is considered a health plan. If you find that you are considered a covered entity, you must comply with HIPAA regulations.

Here is a simple test to see if a Health Plan is a covered entity and required to bill with the electronic standards.

  • Is the plan an individual or group plan or combination thereof that provides or pays for the cost of medical care? – If no, Stop, it is NOT a health plan
  • If yes, is the plan a group health plan – if yes, does the plan have both of the following characteristics (a) it has fewer than 50 participants and (b) it is self-administered – if yes, Stop, the plan is NOT a health plan, if no, the plan is a health plan.
  • Is the plan a health insurance issuer – if yes, the plan is a health plan
  • Is the plan an issuer of a Medicare supplemental policy – if yes, the plan is a health plan
  • Is the plan an HMO – if yes, the plan is a health plan
  • Is the plan a multi-employer welfare benefit plan - if yes, the plan is a health plan
  • Is the plan an issuer of long-term care policies – if yes, does the plan provide only nursing home fixed indemnity policies – if yes, the plan is NOT a health plan – if no, the plan is a health plan
  • Does the plan provide only excepted benefits – if yes, the plan is NOT a health plan – if no, the plan is a health plan

After applying this test and the answer you derive at is that the plan is a health plan then you should know that this constitutes a covered entity under HIPAA regulations and therefore the standards apply.

Here is a simple test to see if a person, business, or agency is a covered health care provider.

  • Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?
  • If the answer is yes, does the person, business, or agency conduct covered transactions?
  • If yes, are any of the covered transactions transmitted in electronic form?
  • If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations

Here is a simple test to see if a business or agency is a health care clearinghouse and thereby a covered entity under the HIPAA regulations.

  • Does the business or agency process, or facilitate the processing of, health information from nonstandard format or content into standard format or content into nonstandard format or content?
  • If the answer is yes, does the business or agency perform this function for another legal entity?
  • If the answer is yes, the business or agency is a health care clearinghouse.

Are you a government funded program that acts as a health plan and thereby considered a covered entity?

  • Is the program one of the listed government health plans? The listed government-funded health plans are the Medicare program, Medicaid program, the health care program for active military personnel, the veterans health care program, CHAMPUS, the Indian Health Service Program, the Federal Employees Health Benefit Program, and approved state child health programs (SCHIP)
  • If yes, the program is a health plan. If no, does the program provide or pay the cost of medical care?
  • If yes, is the program a high-risk pool?
  • If yes, the program is a health plan. If no, is the plan an HMO?
  • If yes, the program is a health plan. If no, is the principal activity of the program providing health care directly?
  • If yes, the program is NOT a health plan. If no, is the principal activity of the program the making of grants to fund the direct provision of health care (e.g., through funding a health clinic)?
  • If yes, the program is NOT a health plan. If no, is the principal purpose of the program other than providing or paying the cost of health care (e.g., operating a prison system, running a scholarship or fellowship program)?
  • If yes, the program is NOT a health plan. If no, does the program provide only excepted benefits?
  • If yes, the program is NOT a health plan. If no, the program is a health plan (Posted 5/29/03)

I own a single proprietorship Hearing Aid Practice in Alabama. We do charge for hearing aids, but do not charge for hearing test, consultations, evaluations or office visits. We do not electronically file insurance benefit claims. We do not order hearing aids for our patients online. Are we required to be HIPAA compliant?
Per the HIPAA regulations, if you transmit or receive electronic transactions or store protected health information online, you are a covered entity. You said that you do not process any electronic claims, so that part would be a “no”. Do you store patient information online? If “yes”, you may be covered under the privacy and security regulations. (Posted 5/29/03)

I am from an advocacy agency for people with disabilities. We have many services that we offer, but there are two that I want to make sure that we are being HIPAA compliant if necessary. Are these services considered a covered entity?

1. We serve as the support coordinator/case manager for people with developmental disabilities. This service is funded by Medicaid State Plan Option. We bill Medicaid for this service in written form. I believe this would be a covered entity. My question is really what do you define as health care - does this include case management?

2. We have a service where we provide advocacy and support for individuals with varying disabilities. This support is paid for by the individual's family or by a trust. Advocacy means everything from making sure their apartment is clean to transporting them to medical appointments to applying for benefits. We maintain written plans for them in our office that lists the meds they may be taking, their diagnosis, etc. From what I read on your website, we would be a business associate. We provide updates about the individual to their family members on a regular basis, and often this is done via email because it is the family's preferred method of communication. Communication may include that we took the individual to the doctor this month and the doctor changed the medication. Does this advocacy service fall under a covered entity? My initial reaction is no, because we do not bill or furnish health care.
I would like to start answering your questions by first supplying you with guidelines you may apply to your organization: Here is a simple test to see if a person, business, or agency is a covered health care provider.

Does the person, business, or agency furnish bill, or receive payment for, health care in the normal course of business?

• If the answer is yes, does the person, business, or agency conduct covered transactions?

• If yes, are any of the covered transactions transmitted in electronic form?

• If the answer to this question is yes, the person, business, or agency is a covered health care provider and must comply with all HIPAA regulations

It sounds like in both situations you cannot answer yes to billing electronically. If this is a true assumption, you are not considered a health care provider and therefore not a covered entity under the HIPAA regulations. You will be considered a Business Associate and therefore must protect PHI (Protected Health Information) in the same manner the covered entity is expected to under the HIPAA regulations and should be held accountable by the covered entity and a business associate agreement with that covered entity and possibly many covered entities which you may work with in regards to PHI. (Posted 5/29/03)

I am the National Intake Coordinator for a non-profit support organization which provides free peer support, education and advocacy to women and families coping with high-risk pregnancies. I came across information regarding HIPAA regs and requirements quite by accident. However due to the nature of our work I became concerned that maybe we too should be complying with the privacy guidelines under HIPAA. Often times hospitals, health care and health insurance agencies refer patients to us for support services. I understand that these are considered covered entities. By virtue of that fact, are we considered a business associate and thereby required to comply with HIPAA privacy standards?
You must first make sure that you are not an entity. Since I am not familiar with everything that is done by your organization, here is a simple test to apply.

Does the person, business, or agency furnish, bill, or receive payment for, health care in the normal course of business? – if no, you may stop since you are not considered a health care provider.

If yes, does the person, business, or agency conduct covered transactions? – if no, you may stop since you are not considered a health care provider.

If yes, are any of the covered transactions transmitted in electronic form? – if no, you may stop since you are not considered a health care provider.

If yes, you are considered a health care provider.

After applying this test and the answer you derive at is that you are considered a health care provider, then you should know that this constitutes a covered entity under HIPAA regulations and therefore the standards apply.

You may be considered a business associate by all entities that provide you with protected health information (PHI). If you are a business associate and asked to sign a business associate agreement, you will be expected to treat all that PHI provided by that entity under the HIPAA guidelines. (Posted 5/15/03)


We have a franchise in the state of Kentucky that provides non-medical in-home care to patients wishing to stay in their own home. We do not do any medical services, mainly housekeeping, meal preparation, transportation, etc... We are not required to be licensed in the State of Kentucky, but do hold an advisory opinion #AO-01-03. My question would be, would we be HIPAA mandated and to what degree of mandate would we be expected to comply? Where would be the best place to find out the laws governing non-medical in-home care?
From what you are telling me, you are not a health care provider since you do not furnish, bill or receive payment for health care in the normal course of business. If this assumption is correct you are not considered a covered entity. You may be considered a business associate if a health care provider supplies protected health information (PHI) to you in order for you to perform your duties such as diagnosis of the individual or special treatments, etc. If you are a business associate you will be asked to sign a business associate contract and maintain PHI in the same manner which the covered entity is required. (Posted 5/15/03)

I am an employer of 52 employees. I sponsor an HMO plan in MA that is fully insured. We do not have any medical history on our employees. What do we need to do under HIPAA and when?
Here is a simple test to see if a Health Plan is a covered entity and required to bill with the electronic standards.

· Is the plan an individual or group plan or combination thereof that provides or pays for the cost of medical care? – If no, stop, it is not a health plan.

· If yes, is the plan a group health plan – if yes does the plan have both of the following characteristics (a) it has fewer than 50 participants and (b) it is self-administered – if yes, Stop the plan is not a health plan, if no, the plan is a health plan.

· Is the plan a health insurance issuer – if yes the plan is a health plan

· Is the plan an issuer of a Medicare supplemental policy – if yes the plan is a health plan

· Is the plan an HMO – if yes, the plan is a health plan

· Is the plan a multi-employer welfare benefit plan - if yes the plan is a health plan

· Is the plan an issuer of long-term care policies – if yes , does the plan provide only nursing home fixed indemnity policies – if yes the plan is NOT a health plan – if no, the plan is a health plan

· Does the plan provide only excepted benefits – if yes the plan is not a health plan – if no the plan is a health plan

After applying this test and the answer you derive at is that the plan is a health plan then you should no that this constitutes a covered entity under HIPAA regulations and therefore the standards apply. (Posted 5/15/03)