A covered entity is a healthcare provider, health plan, payer, clearing house or any other entity that processes health data electronically. Because of the kind of health information it processes, and the way it is processed, a covered entity must comply with HIPAA and the Privacy Rule. UMass Amherst as an institution is not a covered entity but is considered a hybrid entity. This means that it performs both covered and noncovered functions as part of its business operation, for example the activities of University Health Services (UHS) would be considered covered. Most investigators at UMass Amherst will need authorization from their subjects to allow a covered entity like UHS or Baystate Health to disclose protected health information (PHI) to them. A covered entity must limit the amount of PHI disclosed to recipients to the "minimum necessary."