Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Covered Entity.


We provided this definition in the NPRM for convenience of reference and proposed it to mean the entities to which part C of title XI of the Act applies. These are the entities described in section 1172(a)(1): health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Act (a "standard transaction").

We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. A provider could not circumvent these requirements by assigning the task to its business associate since the business associate would be considered to be acting on behalf of the provider. See the definition of "business associate."

Where a public agency is required or authorized by law to administer a health plan jointly with another entity, we consider each agency to be a covered entity with respect to the health plan functions it performs. Unlike private sector health plans, public plans are often required by or expressly authorized by law to jointly administer health programs that meet the definition of "health plan" under this regulation. In some instances the public entity is required or authorized to administer the program with another public agency. In other instances, the public entity is required or authorized to administer the program with a private entity. In either circumstance, we note that joint administration does not meet the definition of "business associate" in § 164.501. Examples of joint administration include state and federal administration of the Medicaid and SCHIP program, or joint administration of a Medicare+Choice plan by the Health Care Financing Administration and the issuer offering the plan.