What is a Covered Entity under HIPAA?

A Covered Entity under HIPAA refers to healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI) and are subject to HIPAA regulations. These entities are responsible for complying with HIPAA privacy, security, and breach notification requirements to ensure the confidentiality, integrity, and availability of PHI.

What are the responsibilities and obligations of Covered Entities?

The responsibilities and obligations of Covered Entities include safeguarding PHI, implementing privacy and security measures, conducting risk assessments, developing policies and procedures, training employees on HIPAA compliance, providing patients with notice of privacy practices, obtaining patient authorizations for certain uses and disclosures of PHI, and promptly reporting any breaches or violations of HIPAA regulations. These requirements aim to protect patient privacy, maintain the security of sensitive health information, and ensure compliance with HIPAA regulations.

What are the categories of Covered Entities under HIPAA?

HIPAA defines different categories of Covered Entities based on their role in the healthcare industry. These categories include healthcare providers such as doctors, hospitals, clinics, pharmacies, and nursing homes; health plans such as insurance companies, HMOs, and government programs like Medicare and Medicaid; and healthcare clearinghouses that process and transmit health information. Each category has specific responsibilities and obligations under HIPAA regulations.

What are the subcategories of Covered Entities?

Subcategories of Covered Entities can vary depending on the specific industry or organization. For healthcare providers, subcategories may include individual practitioners, group practices, outpatient facilities, and specialty clinics. Health plans can include employer-sponsored plans, private insurance plans, and government programs. Healthcare clearinghouses may include organizations that handle claims processing, billing services, and data transmission. These subcategories help identify and address specific compliance requirements based on the entity's role and function within the healthcare ecosystem.

How is compliance and enforcement of HIPAA regulations for Covered Entities carried out?

Compliance and enforcement measures for Covered Entities involve audits, investigations, and penalties imposed by the Office for Civil Rights (OCR), which is responsible for enforcing HIPAA regulations. OCR may conduct random audits or investigate complaints to ensure Covered Entities are in compliance with HIPAA requirements. The audits assess an entity's adherence to privacy, security, and breach notification rules. Penalties for non-compliance can range from monetary fines to corrective action plans or even criminal charges, depending on the severity of the violation.

What are the benefits of HIPAA compliance for Covered Entities?

HIPAA compliance offers several benefits for Covered Entities. It helps protect the privacy and security of patient information, enhances patient trust and confidence, reduces the risk of data breaches and associated financial and reputational damages, ensures legal and regulatory compliance, improves overall data management practices, and promotes interoperability and information exchange between healthcare entities. By following HIPAA requirements, Covered Entities can establish a culture of privacy and security, safeguarding sensitive health information and promoting the efficient and effective delivery of healthcare services.

How does HIPAA compliance enhance data security within Covered Entities?

HIPAA compliance enhances data security within Covered Entities through the implementation of technical safeguards, such as encryption and access controls, physical safeguards like secure facilities and equipment, and administrative safeguards including policies, procedures, and employee training. These measures help prevent unauthorized access, use, or disclosure of PHI, reducing the risk of data breaches and maintaining the confidentiality, integrity, and availability of patient information. Regular risk assessments, ongoing monitoring, and incident response protocols further contribute to data security and compliance efforts.

Release of Medical Records Form

A valid release of medical records form is required before Protected Health Information (PHI) can be used or disclosed by a covered entity for a purpose not permitted by the HIPAA Privacy Rule. But what uses and disclosures are not permitted by the HIPAA Privacy Rule and what conditions need to be fulfilled in order for a release of medical records form to be valid?

The easiest way to explain what uses and disclosures of PHI are not permitted by the HIPAA Privacy Rule is to list the uses and disclosures that are permitted. This is because, although 45 CFR §164.508 contains the standards and implementation specifications for “uses and disclosures [of PHI] for which an authorization is required”, the section starts with the line:

“Except as otherwise permitted or required by this subchapter [the HIPAA Privacy Rule], a covered entity may not use or disclose PHI without an authorization that is valid under this section.”

Therefore, it is necessary to establish which uses and disclosures of PHI are permitted or required by the Privacy Rule in order to determine those that are not permitted. With regards to those that are required, there are only two scenarios in which a covered entity or business associate is required to disclose PHI by HIPAA:

When an individual exercises their right under 45 CFR §164.524 to request a copy of their PHI or their right under 45 CFR §164.528 to request an accounting of disclosures, or
When the Department of Health and Human Services’ Office for Civil Rights investigates a complaint, an alleged violation, or a data breach, or conducts a HIPAA compliance audit.

In addition to the requirements of HIPAA, many states have enacted laws that require healthcare providers to report child neglect, domestic abuse, and/or injuries attributable to gunshots. HIPAA permits these disclosures under 45 CFR §164.512 provided the disclosures to comply with state laws only consist of the minimum necessary to achieve the purpose of the disclosure.

Permitted Uses and Disclosures of Medical Records under HIPAA

Permitted uses and disclosures of medical records under HIPAA include uses and disclosures to provide healthcare, conduct treatment-related transactions (eligibility checks, treatment authorizations, claims billing, etc.), and perform health care operations – for example, training, quality assessments, business planning, and internal disciplinary actions.

Under the same standard as permits healthcare providers to report child neglect, covered entities and business associates are also permitted to disclose PHI to public health agencies or law enforcement officers to avert a serious threat to health and safety, employers to support workplace health and safety and OSHA compliance, and to medical examiners, coroners, and funeral directors.

There are a number of other permitted uses and disclosures of medical records under this standard, and also under 45 CFR §164.510 (“Uses and disclosures requiring an opportunity for the individual to agree or to object”) which permits covered entities to accept verbal consent or objection rather than a formal signed release of medical records form. Nonetheless, verbal consent should always be documented.

It is important for healthcare providers to be aware of the scenarios in which uses and disclosures of medical records are permitted under HIPAA so that the administrative burden of completing, managing, and retaining release of medical records forms is kept to a minimum. Individuals and organizations who are unsure of the permitted uses and disclosures should seek professional compliance advice.

What Should be Included in a Release of Medical Records Form?

What should be included in a release of medical records form to make it valid are the “core elements” listed in 45 CFR §164.508. These are the name of the individual authorizing the release (i.e., the patient), the name of the organization being authorized to release medical records (i.e., the covered entity), a description of what information is being disclosed, why it is being disclosed, and how long it is being disclosed for.

In order for the release of medical records form to be valid, it must also include statements to the effect that the individual has the right to revoke their authorization, that treatment or benefits are not conditional on the authorization, and that, if medical records are being released to an individual or organization not covered by the HIPAA Privacy Rule, the potential exists for the medical records to be further disclosed.

Beyond the core elements are required statements, covered entities and business associates can add further information or fields to satisfy the requirements of state laws or other federal laws related to attested uses and disclosures of PHI – for example, when SUD records are disclosed, the release of medical notes form has to advise the subject of the records they will not be further disclosed without the subject’s authorization.

Because the forms can serve many purposes, there is no one-size-fits all release of medical records form. Nonetheless, we have compiled a release of medical records form that meets the requirements of HIPAA to comply with the Privacy Rule, and provides an opportunity for the form to be customized. Individuals and organizations who are unsure of how best to customize the form to meet their compliance requirements should seek professional compliance advice.

Download Release of Medical Records Form
(Word document download)

← Previous Article

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy

Release of Medical Records Form

Permitted Uses and Disclosures of Medical Records under HIPAA

What Should be Included in a Release of Medical Records Form?

Useful links

Stay Informed