What is a Covered Entity and Business Associate?

Let’s start by understanding exactly what a covered entity (CE) and Business Associate (BA) is.  By definition, A HIPAA covered entity is any organization or corporation that directly handles Personal Health Information (PHI) or Personal Health Records (PHR). The most common examples of covered entities include hospitals, doctors’ offices and health insurance providers.

Covered entities are required to comply with Health Information Portability and Accountability Act HIPAA (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) mandates for protection of PHI and PHR.

A business associate under the HIPAA Privacy Rule is a person or organization that uses or creates protected health information on behalf of a covered entity while performing certain functions or activities.  These activities can include such things as claims processing, billing activities, legal services, accounting services, consulting services, administrative services, and even software or hardware support.

The HITECH Act also specifies that an organization that provides data transmission of PHI to a covered entity and that requires access to PHI on a routine basis will be treated as a business associate.

 “Anti-Social” Behavior

With the introduction of social media and the popularity of such sites as Facebook, Twitter, LinkedIn, and countless others, developing an “anti-social” policy for the office may be in order.  With an increasingly high percentage of doctor’s offices, hospitals, and insurance companies demonstrating a valued use for these social media sites, an extreme risk is being wagered. 

Last year, a nurse in California posted the picture and chart of a patient on Facebook, along with comments about the patients’ sexual behavior.  In addition, there have been multiple cases reported where nursing staffs have used social media sites to provide information to one another on patients during shift changes.  

These are not isolated events.  A Nucleus Research study found that approximately 77 percent of healthcare workers have a Facebook account and nearly two-thirds of those employees access their accounts during work hours.   While the vast-majority of these healthcare workers will never violate any HIPAA/HITECH regulations by exposing PHI, any organization that permits these sites to be accessible at the office is opening themselves up for severe consequences.

“Socialize” Policy Change(s)

Everyone realizes that once something is made available to employees online, removing their ability to access these sites could be detrimental to the working “climate” and ultimately bring down employee morale.  However, there are certain things that can be done that would allow for social media and privacy to coexist. 


  • Broaden the current compliance policies to include the use and information disclosure for social media and other internet-related activities.
  • Provide examples of statements to employees that would be considered “in violation” of HIPAA regulations.  Remember, unintentional disclosure of PHI is still a violation.
  • Develop specific social media policies
  • Provide annual training to employees on “Acceptable Use” of the internet and enforce signed acknowledgment from each employee of having received the training.
  • Develop an Acceptable Use Policy (AUP) which governs the usage, limitations, and requirements for all software, hardware, and mobile devices used by the workforce.


A concise, well-written and widely communicated social networking policy that emphasizes HIPAA compliance responsibilities during both work and non-work hours, and in using both company computer systems and any other devices with access to the Internet, is an employer’s most effective weapon against liability for employee misuse of social networking sites.