Who must comply with HIPAA Privacy Standards?
As required by Congress in HIPAA, the Privacy Rule covers:
These entities (collectively called "covered entities") are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See our business associate section and the frequently asked questions about business associates for a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.
What is a HIPAA covered entity?
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Covered entities can be institutions, organizations, or persons.
Are there any covered entities within the DES?
There are two HIPAA covered entities within the DES – the Department of Developmental Disabilities (DDD) and the Refugee Medical Assistance Program (RMAP).
Who should I contact to file a complaint against a health care provider or entity outside of DES?