Safety guides and audits to make your job as a safety professional easier

Health Care Provider Responsibilities

Covered Entities

Covered entities are defined in the HIPAA rules as the following:

  • health plans
  • health care clearinghouses
  • health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards

Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly, or through an intermediary to a health plan, are covered entities. Covered entities can be institutions, organizations, or persons. Let’s take a closer look at each of the entities.

Health Care Plan

With certain exceptions, a health care plan is an individual or group plan which provides or pays the cost of medical care. The HIPAA law specifically includes many types of organizations and government programs as health plans.

Health Care Clearinghouse

A health care clearinghouse, which is either a public or private entity, is an organization that acts as a middleman between a provider and the entity that ultimately needs the information.

For example, when a hospital needs to get paid on an insurance claim, it must submit detailed medical information to the insurance company. When the hospital sends out this information, it goes through a health care clearinghouse so the information can be translated into a form that the insurance company can accept and understand.

Health Care Providers

Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include the following:

  • claims
  • benefit eligibility inquiries
  • referral authorization requests
  • other transactions for which HHS has established standards under the HIPAA Transactions Rule

Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction.

The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.

Electronic Protected Health Information

The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule. The Security Rule protects the information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

General Rules

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.

General Rules (Continued)

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.

Let’s take a look at a scenario about disclosing information to others inappropriately.


Situation: Joan works in a cardiology practice. The physicians in the practice admit patients to a local hospital. Joan schedules a hospital admission for a friend, Nell, who attends the same church as Joan. At church the following Sunday, several members ask Joan if she knows anything about Nell’s condition. How should Joan respond?

Response: Joan must not disclose any information about Nell obtained as a result of her work in the cardiology practice, not even with Joan’s family or friends. Joan should politely inform the concerned church members that federal laws prohibit the sharing of confidential information about patients without their expressed permission.

Integrity vs. Availability

The Security Rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means e-PHI is accessible and usable on demand by an authorized person.

HHS recognizes covered entities range from the smallest provider to the largest, multi-state health plan. Therefore, the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

  • its size, complexity, and capabilities
  • its technical, hardware, and software infrastructure
  • the costs of security measures
  • the likelihood and possible impact of potential risks to e-PHI

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.

Risk Analysis and Management

The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.

A risk analysis process includes, but is not limited to, the following activities:

  • Evaluate the likelihood and impact of potential risks to e-PHI.
  • Implement appropriate security measures to address the risks identified in the risk analysis.
  • Document the chosen security measures and, where required, the rationale for adopting those measures.
  • Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Administrative Safeguards

There are several administrative safeguards that should be put into place regarding e-PHI.

Here are a few examples of recommended safeguards:

  • Security Officer: A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
  • Information Access Management: Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
  • Workforce Training and Management: A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
  • Evaluation: A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.


An OB/GYN practice client ran into trouble when its receptionist recognized a woman from her neighborhood who came in for STD testing. The receptionist promptly posted a gleeful message on Facebook regarding the patient’s medical issue after tracking down the test results, and common acquaintances on Facebook became privy to this confidential information. Improper access to patient information by office staff and dissemination of these details using social media are significant challenges that must be addressed.

The privacy rules created by HIPAA can seem cumbersome but every practice should evaluate its operations to make sure it is compliant.

Technical Safeguards

  • Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Security: A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Organizational Requirements

If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.

Policies, Procedures, and Documentation Requirements

A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain written security policies and procedures and written records of required actions, activities or assessments.

These written security records must be maintained for six years after either the creation date or the last effective date, whichever is most recent.

NOTE: A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of e-PHI.

State Law

In general, state laws contrary to the HIPAA regulations are pre-empted by the federal requirements, which means the federal requirements will apply. “Contrary” means it would be impossible for a covered entity to comply with both the state and federal requirements, or the provision of state law is an obstacle to accomplishing the full purposes and objectives of the HIPAA provisions.

Enforcement and Penalties for Non-Compliance

If a covered entity’s employees and/or volunteers do NOT follow the rules set out by HIPAA, the federal government has the right to do the following:

  • conduct an investigation
  • impose fines and/or jail sentences, if found guilty

Civil Money Penalties

Unintentional HIPAA violations could result in:

  • $100 fine per violation
  • up to $25,000 for multiple violations of the same standard in a calendar year

Health and Human Services may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.

Criminal Penalties

Knowingly making unauthorized disclosure of PHI may result in:

  • $50,000 fine
  • imprisonment of not more than one year
  • both a fine and imprisonment

Offenses which include false pretenses may result in:

  • $100,000 fine
  • imprisonment of not more than 5 years
  • both a fine and imprisonment

An offense with the intent to sell information may result in:

  • $250,000 fine
  • imprisonment of not more than 10 years
  • both a fine and imprisonment
The U.S. Department of Justice will enforce the criminal sanctions.


Hunter is 21 years old and receives medical assistance because he has AIDS. Adrian works at a local insurance agency in the billing department. At lunch one day, Adrian told a coworker, who has no involvement with the case, that Hunter has AIDS.

Which is the correct penalty for this violation?

  1. $100 fine per violation, up to $25,000 for multiple violations of the same standard in a calendar year for unintentional offenses.
  2. $50,000 fine, imprisonment of not more than one year, or both for knowingly making an unauthorized disclosure of PHI.
  3. $100,000 fine, imprisonment of not more than 5 years, or both for offenses which include false pretenses.
  4. $250,000 fine, imprisonment of not more than 10 years, or both for an offense with intent to sell information.

Answer: $50,000 fine, imprisonment of not more than one year, or both, for knowingly making an unauthorized disclosure of PHI. Adrian made a deliberate disclosure of PHI.



Before beginning this quiz, we highly recommend you review the module material. This quiz is designed to allow you to self-check your comprehension of the module content, but only focuses on key concepts and ideas.

Read each question carefully. Select the best answer, even if more than one answer seems possible. When done, click on the "Get Quiz Answers" button. If you do not answer all the questions, you will receive an error message.

Good luck!

1. A covered entity must designate a security officer. What is the security officer’s responsibilities?

2. Covered entities can be which of the following?

3. An offense with the intent to sell information may result in _____.

4. Unintentional HIPAA violations could result in _____.

5. Written security records must be maintained for ____ after the creation date or the last effective date.

Have a great day!

Important! You will receive an "error" message unless all questions are answered.