HIPAA applies to healthcare suppliers, health plans, and healthcare clearinghouses if those groups transmit health data electronically in connection with transactions for which the Department of Health and Human Services has implemented standards.
Healthcare suppliers that are usually required to adhere with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans include HMO’s, health insurance providers, company health plans, government programs that finance health care like Medicaid and Medicare, and veterans’ health programs. Self-insured companies that supply health coverage to their employees are also required to comply with HIPAA Rules. Healthcare clearinghouses incorporate entities that process nonstandard health information for a healthcare group and transform the data into a different format.
Any group that come under the definition of a HIPAA covered entity – See 45 CFR 160.103 – is required to adhere with HIPAA Rules, and there are severe financial penalties for organizations that violate HIPAA Rules or fail to accept that HIPAA compliance is required.
HIPAA Rules also police business associates of HIPAA covered entities. Business associates of HIPAA-covered entities can also be fined directly for HIPAA breaches.
HIPAA Business Associate Definition
A HIPAA business associate is a person or entity that is required to carry out functions on behalf of a HIPAA-covered entity that involves the use or sharing of protected health information. Any business associate of a HIPAA-covered entity is required to sign a HIPAA-compliant business associate agreement – a contract that details the elements of HIPAA Rules that the business associate must comply with (See 45 CFR 164.504(e)).
Business associates are obligated to agree to adapt safeguards to ensure the confidentiality, integrity, and availability of PHI and access controls to stop unauthorized access and disclosures. They must agree not to use PHI for any other reasons than the reasons why the information is released. They must not disclose the information to any other individuals or entities (except subcontractors – see below). They must give individuals with copies of their PHI on request, and must alert their covered entity of any breaches of protected health information.
Business associates incorporate a wide range of individuals and entities, including companies that carry out data analysis, process claims, provide administrative services, quality assurance, billing, payment and debt collection services. Business associates also include accountants, consultants, attorneys, data storage companies, and data management companies.
Business Associates & HIPAA Apply to Subcontractors
HIPAA also impacts subcontractors of business associates. If a business associate of a HIPAA covered entity subcontracts any work to another entity, and that entity is required to access or use PHI to carry out its contracted duties, HIPAA Rules must be adhere to. Therefore, business associates must also enter into a business associate agreement with their subcontractors. As with their covered groups, a signed BAA constitutes ‘satisfactory assurances’ that the subcontractor has been advised about HIPAA Rules and is aware of its responsibilities with respect to PHI.
HIPAA & Researchers
Employees of HIPAA covered entities are not business associates, but what about researchers? HIPAA Rules allow covered entities to disclose PHI to researchers, once patients have authorized the use and disclosure of their PHI for research reasons. In such instances, PHI can be released. A business associate agreement is not necessary, although covered entities must enter into a data use agreement with the researcher. The data use agreement provides acceptable assurances that HIPAA Rules will be followed with respect to the limited data set handed over.
Not All Healthcare Groups Must Adhere with HIPAA Rules
Not all healthcare groups are required to adhere with HIPAA, even though they may create, store, maintain, and send the same types of protected health information as a HIPAA covered entity. HIPAA only applies if groups transmit PHI electronically for transactions that HHS has implemented standards.
Similarly, many health and medical device manufacturers are not required to comply with HIPAA Rules, even though health data is saved, stored, and sent by those devices. Medical device manufacturers and health app developers are only obligated to adhere with HIPAA Rules if they are a business associate of a covered group.
Patients should be conscious that just because health data is gathered, stored, transmitted, or used by an organization, it does not necessarily mean that health and personal data will be subject to HIPAA Regulations. Also, breaches of health data at non-HIPAA-covered entities will only require alerts to be sent if the breached information is covered under state breach notification legislation.