Each of these groups, in turn, is given an expansive regulatory definition, summarized roughly as follows:
- health plan means any individual or group plan that provides, or pays the cost of, medical care — including public and private health insurance issuers, HMOs or other managed care organizations, employee benefit plans, the Medicare and Medicaid programs, military/veterans plans, and any other "policy, plan or program" for which a principal purpose is to provide or pay for health care services;
- health care provider means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business; and
- health care clearinghouse means a public or private entity, including a billing service, repricing company, community health information system, and “value-added” networks and switches, that either processes or facilitates the processing of health information.
In short, an organization that routinely handles protected health information in any capacity is in all probability a covered entity. In turn, the behavior of any person in the covered entity's workforce is covered by extension.
Organizations performing functions involving personal health information on behalf of covered entities would be reached under the business associate contracts that HIPAA requires for such relationships. Behavior of individuals in the business associates' workforces would be covered in turn.
The Department of Health and Human Services' "First Guidance" on the Final Privacy Rule lists the following generic requirements for covered entities:
- providing information to patients about their privacy rights and how their information can be used (in a notice of privacy practices);
- adopting clear and appropriate privacy policies and procedures for its practice, hospital, or plan;
- training workforce members so that they understand the privacy procedures;
- designating an privacy office/officer to be responsible for seeing that the privacy procedures are adopted and followed; and
- adopting adequate security policies and procedures for patient records containing individually identifiable health information.
- See 45 C.F.R. 160.103 for the few statutory exemptions.