Before we proceed further to talk about the definition of PHI, what information constitutes PHI and what doesn’t, let’s first understand two major definitions under HIPAA and those are – Business Associates and Covered Entities.
A covered entity is basically a person who provides treatment, payment, as well as the operations in the healthcare sector. According to the U.S. Department of Health & Human Services (HHS), healthcare providers, health plans, and healthcare clearinghouses fall under the covered entities. The healthcare providers usually include doctors, clinics, dentists, psychologists, nursing homes, pharmacies, chiropractors, and last but not the least, the hospitals.
Health plans include the health insurance companies, company health plans, HMOs, Medicare & Medicaid. In fact, schools and employers that handle the PHI in order to enroll their employees and students in any sort of health plan also fall under the definition of a Health Plan.
Here’s a complete list of entities that come under covered entities. Please take a look.
A business associate is nothing but a subcontractor or a vendor who has the access to protected health information (PHI). However, if defined in a more legalized way, a business associate is an entity that discloses or makes use of PHI on behalf of a covered entity. In case the legalized definition is complex, here’s a very simple and crisp definition- a business associate can be defined as a person who performs or assists in performing certain activities involving the use or disclosure of PHI, on behalf of the covered entity.
Business Associates can be providers of data transmission services, document or data storage services (it hardly matters if they can view the PHI they maintain), portals or other interfaces specially created on behalf of the covered entities that allow the patients to share their health-related data with the covered entity, as well as other electronic health information exchanges.