By Jennifer Carpenter, CHC, M.ED, CIVHC’s Data Privacy and Compliance Manager
If you work in or with an organization that deals with protected health information (PHI) you are probably familiar with the terms covered entity (CE) and business associate (BA) as described in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. However, do you ever wonder why exactly an organization is considered a CE versus a BA?
Why is this an important distinction?
HIPAA provides federal protections for PHI by giving patients more control over their health information and setting boundaries on the use and release of PHI by CEs and BAs. Understanding the difference between a CE and BA can be confusing, so let’s break it down.
A CE is defined in the HIPAA rules as including:
1. health plans,
2. health care clearinghouses, and
3. health care providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards. Example: a health plan that has a direct patient relationship.
A BA is a person or entity that performs functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a CE. For example: A medical billing company that is exposed to PHI in order to carry out its services for the CE.
Which one does CIVHC fall under?
CIVHC is often asked this question as the administrator of the Colorado All Payer Claims Database (CO APCD). CIVHC has an important role in protecting the PHI in the CO APCD and is considered a CE or BA in three different ways:
1. CIVHC falls under the plain language definition of a HIPAA CE as a health care data clearinghouse because it processes non-standard data and transactions received from payers into data elements. CIVHC as CE
2. The HIPAA Privacy Rule states that a CE may disclose PHI to a BA and allow the BA to use, create, or receive PHI on its behalf. As the state Medicaid agency, the Department of Health Care Policy and Financing (HCPF) is also a CE and has a BA agreement in place with CIVHC. This allows CIVHC to receive and process mandated data submissions on behalf of another CE, Medicaid. CIVHC as CE / BA with HCPF (HCPF also CE)
3. HB 10-1330, the enabling statute for the CO APCD requires CIVHC to act as a CE even if the first two of these situations did not apply. This means that, even if there was no other requirement to abide by HIPAA privacy standards, CIVHC, as the CO APCD administrator, and the CO APCD itself are required to adhere to all federal medical privacy laws. CIVHC as CE
Tool to Determine Which Rules Apply to an Organization
Every organization is different and you may be wondering if your organization is considered a CE or a BA under HIPAA. Now it is even easier to determine by using a tool designed by the Centers for Medicare & Medicaid Services to help health care providers and organizations check whether they are considered HIPAA-covered entities. Find it here.