Covered Entities

-A   +A

Covered Entities


​​​​Health Insurance Portability and Accountability Act (HIPA​A)

As required by Congress in HIPAA, the Privacy Rule covers:

  • Healthcare providers such as, physicians, dentists, psychiatrists, hospitals, clinics, pharmacies, and laboratories. Other groups may also meet HIPAA definition of Covered Entities.
  • Health plans
  • Health care clearinghouses

Collectively, these are called Covered Entities.

Covered Entities are bound by the HIPAA Privacy Rules even if they contract with others called "Business Associates" (to perform some of their essential functions, such as billing, collections, medical record storage, etc.)

The HIPAA Privacy Rule created national standards to protect individuals' medical records and other personal health information by:

  • Establishing appropriate safeguards that health care providers and others must achieve to protect the privacy of health information;
  • Holding violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
  • Setting boundaries on the use and release of health records;
  • Giving patients more control over their health information; and
  • Striking a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

Healthcare providers are required to comply with HIPAA's Privacy and Security Rules and the requirements added in 2013 by the Health Information Technology for Economic and Clinical Health Act.

Advertising Disclaimer

​Download the HIPAA Privacy Manual (Template) View Disclaimer

Download the HIPAA Security Manual (Template) View Disclaimer​​​​​

A downloadable Notice of Privacy Practices in Spanish​ has been added to supplement the HIPAA Privacy Manual above. ​​

The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The HIPAA Security Rule requirements are limited to protecting health information in electronic form.

Briefly, HIPAA requires Covered Entities to:

  • Assign HIPAA responsibility to a designated person to serve as the HIPAA privacy and security officer.
  • Know the use and disclosure rules for protected health information. 
  • Know the rights of individual patients.
  • Implement and maintain written Privacy and Security policies. 
  • Develop compliant forms such as authorizations to release PHI and notice of privacy practices. 
  • Execute appropriate business associate agreements. 
  • Perform and document a risk analysis of PHI maintained in electronic form
  • Implement required safeguards. 
  • Train workforce. 
  • Respond immediately to any violation or breach. 
  • Report breaches in a timely manner. 
  • Document actions. 
  • Beware of more stringent laws. 

To help pediatric practices meet the above responsibilities, the Academy provides sample HIPAA Privacy and Security Compliance Manuals that are downloadable for free to AAP members.

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney. 

The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.

            print           email           share