HIPAA is in place to regulate healthcare providers, health plans, and healthcare clearinghouses that send health data electronically in relation to transactions for which the Department of Health and Human Services has implemented standards.
Healthcare providers that are usually asked to adhere with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans such HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs are also under the remit of HIPAA. Self-insured firms that provide health coverage to their employees are also required to make sure that they are adhering with HIPAA Rules. Healthcare clearinghouses include entities that manage nonstandard health information for a healthcare group and change the data into a different format.
Any organization that can be classified as a HIPAA covered entity – See 45 CFR 160.103 – must comply with HIPAA Rules, and there are extreme financial penalties for organizations that violate HIPAA Rules or fail to realize that HIPAA compliance is necessary.
Business associates of HIPAA covered entities are also subject to HIPAA. Business associates of HIPAA-covered entities can also be fined for breaches of HIPAA.
What is Classified as a HIPAA Business Associate?
A HIPAA business associate is defined as an individual or entity that is required to complete functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected health information. Any business associate of a HIPAA-covered entity must sign a HIPAA-compliant business associate agreement – a contract that lists the elements of HIPAA Rules that the business associate must adhere with (See 45 CFR 164.504(e)).
Business associates are required to agree to put in place safeguards to ensure the confidentiality, integrity, and availability of PHI and access controls to obstruct unauthorized access and sharing. They must agree not to use PHI for any other purposes, aside from the reasons why the information is shared. They must not disclose the information to any other people or entities (except subcontractors – see below). They must provide individuals with copies of their PHI when it is asked for, and must make the covered entity aware of any breaches of protected health information.
Business associates include a vast amount of different individuals and entities, including companies that complete data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services. Business associates also include accountants, consultants, attorneys, data storage firms, and data management agencies.
Are Subcontractors of Business Associates Subject to HIPAA?
Subcontractors of business associates are also subject to HIPAA. If a business associate of a HIPAA covered entity subcontracts any jobs or tasks to another entity, and that entity is required to view or use PHI to complete its contracted duties, HIPAA Rules must be adhere with. Therefore, business associates must also complete a business associate agreement with their subcontractors. As is the case with their covered entities, a signed BAA constitutes ‘satisfactory assurances’ that the subcontractor has been advised in relation to HIPAA Rules and is aware of its responsibilities with respect to PHI.
Are Researchers Subject to HIPAA?
Workers at covered entities are not business associates, but what is the situation in relation to researchers? Does HIPAA apply to researchers? HIPAA Rules allow covered entities to share PHI to researchers, once patients have authorized the use and sharing of their PHI for research purposes. In such cases, PHI can be released. A business associate agreement is not required, although covered entities must complete a data use agreement with the researcher. The data use agreement provides adequate assurances that HIPAA Rules will be followed with respect to the limited data set supplied.
Not All Healthcare groups Must Adhere with HIPAA Regulations
Not all healthcare groups must comply with HIPAA, even though they may create, store, manage, and transmit the same types of protected health information as a HIPAA covered entity. HIPAA only applies if groups transmit PHI electronically for transactions that HHS has implemented standards.
Similarly, many health and medical device manufacturers are not obligated to adhere with HIPAA Rules, even though health data is recorded, stored, and sent by those devices. Medical device manufacturers and health app developers are must only comply with HIPAA Rules if they are a business associate of a covered entity.
Patients should be knowledgeable in relation to the fact that just because health data is collected, stored, transmitted, or used by a group, it does not necessarily mean that health and personal data will be subject to HIPAA Rules. Also, breaches of health data at non-HIPAA-covered entities will only require alerts to be issued if the breached information is included in state breach notification laws.