HIPAA for Providers

Health care providers, health plans (including Medicaid) and health care clearinghouses (called “covered entities”) must comply with HIPAA’s rules to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.  


Covered entities may share protected health information without patient authorization for the purposes of treatment, payment and certain health care operations. 


If a covered entity engages a “business associate” to help it carry out its health care activities and functions, the covered entity must have a written business associate contract that establishes specifically what the business associate has been engaged to do. This agreement requires them to comply with certain aspects of HIPAA regulations to protect the privacy and security of protected health information.    


Medicaid pays for some non-medical services (such as chore services, respite care, homemaker services and personal care services). Because the information we share with these providers about members is protected health information, these providers are business associates and must sign a business associate contract. The enrollment checklist will tell you if you need to sign a Business Associate Addendum.