Health Insurance Portability and Accountability Act (HIPAA) Rules cover the allowable uses and disclosures of protected health information secure and data security, but who does HIPAA apply to? Which types of organizations must implement HIPAA compliance programs?
Who Does HIPAA Apply to?
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses if those organizations transmit health data electronically in connection with transactions for which the Department of Health and Human Services has adopted standards.
Healthcare providers that are typically required to comply with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans include HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs. Self-insured companies that provide health coverage to their employees are also required to comply with HIPAA Rules. Healthcare clearinghouses include entities that process nonstandard health information for a healthcare organization and transform the data into a different format.
Any organization that falls under the definition of a HIPAA covered entity – See 45 CFR 160.103 – is required to comply with HIPAA Rules, and there are severe financial penalties for organizations that violate HIPAA Rules or fail to realize that HIPAA compliance is required.
HIPAA Rules also apply to business associates of HIPAA covered entities. Business associates of HIPAA-covered entities can also be fined directly for HIPAA violations.
What is a HIPAA Business Associate?
A HIPAA business associate is an individual or entity that is required to perform functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected heath information. Any business associate of a HIPAA-covered entity is required to sign a HIPAA-compliant business associate agreement – a contract that details the elements of HIPAA Rules that the business associate must comply with (See 45 CFR 164.504(e)).
Business associates are required to agree to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and access controls to prevent unauthorized access and disclosures. They must agree not to use PHI for any other purposes than the reasons why the information is disclosed. They must not disclose the information to any other individuals or entities (except subcontractors – see below). They must provide individuals with copies of their PHI on request, and must notify their covered entity of any breaches of protected health information.
Business associates include a wide range of individuals and entities, including companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services. Business associates also include accountants, consultants, attorneys, data storage firms, and data management companies. A more extensive list of business associates and explanation of the differences between a business associate and a covered entity are detailed here.
Does HIPAA Apply to Subcontractors of Business Associates?
HIPAA also applies to subcontractors of business associates. If a business associate of a HIPAA covered entity subcontracts any work to another entity, and that entity is required to access or use PHI to complete its contracted duties, HIPAA Rules must be followed. Therefore, business associates must also enter into a business associate agreement with their subcontractors. As with their covered entities, a signed BAA constitutes ‘satisfactory assurances’ that the subcontractor has been informed about HIPAA Rules and is aware of its responsibilities with respect to PHI.
Does HIPAA Apply to Researchers?
Employees of covered entities are not business associates, but what about researchers? Does HIPAA apply to researchers? HIPAA Rules allow covered entities to disclose PHI to researchers, provided that patients have authorized the use and disclosure of their PHI for research purposes. In such cases, PHI can be disclosed. A business associate agreement is not required, although covered entities must enter into a data use agreement with the researcher. The data use agreement provides satisfactory assurances that HIPAA Rules will be followed with respect to the limited data set provided.
Not All Healthcare Organizations Must Comply with HIPAA Rules
Not all healthcare organizations are required to comply with HIPAA, even though they may create, store, maintain, and transmit the same types of protected health information as a HIPAA covered entity. HIPAA only applies if organizations transmit PHI electronically for transactions that HHS has adopted standards.
Similarly, many health and medical device manufacturers are not required to comply with HIPAA Rules, even though health data is recorded, stored, and transmitted by those devices. Medical device manufacturers and health app developers are only required to comply with HIPAA Rules if they are a business associate of a covered entity.
Patients should be aware that just because health data is collected, stored, transmitted, or used by an organization, it does not necessarily mean that health and personal data will be subject to HIPAA Rules. Also, breaches of health data at non-HIPAA-covered entities will only require notifications to be issued if the breached information is covered under state breach notification laws.