Covered entities under HIPAA are individuals or groups that send protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103).
Included transactions are transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility reviews, healthcare electronic fund transfers, and referral certification and authorization.
Covered groups under HIPAA include health plans, healthcare suppliers and healthcare clearinghouses. Health plans include health insurance firms, health maintenance organizations, government programs that finance healthcare (Medicare for example), and military and veterans’ health programs.
Healthcare clearinghouses are groups that process nonstandard health information and convert data into types that conform to the standards described in the HIPAA administrative simplification regulations.
Healthcare providers incorporate hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other suppliers of healthcare that transmit health information digitally.
HIPAA also applies to business associates of HIPAA-covered groups and their subcontractors.
HIPAA Business Associates
A business associate can be an individual or business that provides services to a HIPAA-covered entity which requires them to have access to, save, use, or transmit protected health information. The list of business associates is lengthy, and the range of companies included under the definition of business associate is diverse.
Business associates of HIPAA covered entities incorporate third-party administrators, billing companies, transcriptionists, cloud service providers, data storage companies – electronic and physical records, EHR providers, consultants, lawyers, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device producers.
Before a business associate being given PHI, or access to systems including PHI, they must enter into a HIPAA-compliant business associate agreement with the covered group. A business associate agreement is a contract in which the duties of the business associate with respect to HIPAA and PHI are described.
Fines for Noncompliance with HIPAA Rules
Covered groups under HIPAA, and business associate that have signed a BAA with a covered entity, must adhere with HIPAA Rules. The failure to adhere with any aspect of HIPAA can lead to financial penalties. The highest penalty for a HIPAA violation is $50,000 per incident, up to a maximum of $1.5 million, per violation category, annually.
If HIPAA breaches have been allowed to go on for many years, or if multiple violations of HIPAA Rules are found, multi-million-dollar fines are possible. Criminal penalties are also possible for certain HIPAA breaches.