Term Review

Covered Entity

  • Health care providers, health care clearinghouses, and health plans
  • Organizations such as hospitals, insurance companies, self-insured health plans, and small physician practices are all covered entities

Business Associate

  • Entities that create, maintain, or transmit PHI while performing healthcare activities and functions on behalf of covered entities
  • Auditors, consultants, lawyers, claims-processing firms, pharmacy benefit managers, and other service providers are business associates


  • There is now a presumption that any use or disclosure of PHI in violation of HIPAA is a breach, unless the covered entity or business associate demonstrates a low probability that PHI has been compromised


  • Protected Health Information
  • Any individually identifiable health information stored in any form or medium (electronic, paper, or even oral)
  • Information, including demographics, which relates to past, present, or future physical or mental health conditions, provision of health care, or payment for the provision of health care

In certain contexts, many common identifiers fall into the PHI bucket (name, address, birth date, SSN etc…) because they can be used to tie an individual back to their health information.

If a piece of data can be used to associate an individual back to their health data in any way, it’s PHI and subject to HIPAA regulations