Home » Courses » Healthcare » HIPAA for Covered Entities

HIPAA for Covered Entities

Learning Objectives

  • Explain HIPAA, the HITECH Act, and the Omnibus Final Ruling updates
  • Define PHI (protected Health information, and health providers and BAs responsibility to protect information
  • List ways to secure PHI
  • Describe procedures to follow if there is a security breach
Buy Now

Available in English

40 minutes


The healthcare industry loses about $7 billion per year due to HIPAA data breaches, and 42% of breaches are caused by employee errors or ignorance.

The Breach Report, 2012


The HIPAA Privacy Rule  and Administrative Simplification rules, apply to covered entities. Covered entities are defined as health plans, healthcare clearinghouses, and any healthcare provider who transmits health record information in electronic form.

Types of Covered Entities

Health Plans

  • Providers, or entities that pay for the cost of medical care such as health, dental, vision, and prescription drug insurers.
  • HMOs, Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers.
  • Long-term care insurers.
  • Employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.

Healthcare Providers

Every healthcare provider, regardless of size, who electronically transmits health record information in connection with certain transactions, including institutional providers such as hospitals and non-institutional providers such as physicians, dentists and other practitioners.

Healthcare Clearinghouses

These entities process nonstandard information received from another entity into a standard format or data content. They include billing services, repricing companies, community health management information systems, and value-added networks.

Not A Covered Entity

  • A group health plan with less than 50 participants managed solely by the employer.
  • Government funded health plan programs such as Food Stamps, a community health center, healthcare grant providers.
  • Insurance entities providing only workers’ compensation, automobile insurance, and property and casualty insurance.

Failure to Comply with HIPAA Privacy Rule

Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties.  In addition, certain violations of the Privacy Rule may be subject to criminal prosecution. 

Civil Money Penalties

Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect.

  • Violations occuring before February 18th, 2009 - Up to $100 per violation, with a $25,000 calendar year cap
  • Violations occuring after February 18th, 2009 - $100 to $50,000 or more per violation, with a $1,500,000 calendar year cap

Criminal Penalties

A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to

  • $50,000 and up to one-year imprisonment.  
  • $100,000 and up to five years imprisonment if it involves false pretenses
  • $250,000 and up to 10 years imprisonment if it involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm
Course Outline
  • Introduction
  • HIPAA's History
  • Protected Information
  • Securing PHI
  • Breach Notification
Regulations
  • Health Insurance Portability and Accountability Act, Public Law 104-191, 104th Congress
  • 45 CFR Parts 160 & 164 Breach Notification for Unsecured Protected Health Information
  • 45 CFR Parts 160, 162, & 164 Health Insurance Reform: Security Standards; Final Rule
  • 45 CFR Part 160, Subparts A & E of Part 164 Privacy Rule
  • 45 CFR Parts 160, 164 Standards for Privacy of Individually Identifiable Health Information; Final Rule
  • 45 CFR Part 160 Security Rule
  • 45 CFR Part 164 Subparts A & C Security Rule