Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org , and we will work with our experts to provide the information you need.
Q: I am employed by an independent and assisted living retirement facility. The facility does not transmit electronic records (i.e., PHI) of our residents or staff for any kind of reimbursement. We offer health insurance to our employees and have been asked by our health insurance broker to sign a business associate agreement (BAA) because our broker says our organization is considered a covered entity (CE) under HIPAA. Upon requesting that the facility enter into a BAA, the broker sent the following message:
“As an employer, you are a ‘covered entity’ under HIPAA because you sponsor a Group Health Plan. That means you are responsible for making sure that your business associates who receive PHI about you or your employees handle this information properly—we are one of these business associates.”
The retirement facility does not consider itself a CE. Is the organization considered a CE because it offers health insurance to its employees?
A: CEs under HIPAA are healthcare clearinghouses, certain healthcare providers (those that use covered transactions like electronic billing), and health plans.
A group health plan is a CE (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as CEs under HIPAA.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA . This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.