HIPAA is applicable to healthcare groups and organizations, health plans, and healthcare clearinghouses if those groups share health data electronically in connection with transactions for which the Department of Health and Human Services has implemented standards.
Healthcare providers that are usually required to adhere with HIPAA Rules would be hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans such as HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs are also included. Self-insured companies that supply health coverage to their employees are also required to adhere with HIPAA Rules. Healthcare clearinghouses that it applies to incorporate entities that process nonstandard health information for a healthcare group and change the data into a different format.
Any organization that can be classified as a HIPAA covered entity – See 45 CFR 160.103 – must comply with HIPAA Rules, and there are severe financial penalties for organizations that violate HIPAA Rules or fail to realize that HIPAA compliance is obligatory.
HIPAA Rules also are relevant for business associates of HIPAA covered entities. Business associates of HIPAA-covered entities can also be sanctioned directly for HIPAA violations.
What is classified as a HIPAA Business Associate?
A HIPAA business associate is classified as an individual or entity that is required to carry out functions on behalf of a HIPAA-covered entity that involves the use or sharing of protected heath information. Any business associate of a HIPAA-covered entity is obligated to complete a HIPAA-compliant business associate agreement – a contract that details the elements of HIPAA Rules that the business associate must comply with (See 45 CFR 164.504(e)).
Business associates are obligated to agree to put in place security measures to ensure the confidentiality, integrity, and availability of PHI and access controls to stop unauthorized access and disclosures. They must agree not to use PHI for any other reasons than the reasons why the information is shared. They must not share the information to any other individuals or bodies (except subcontractors – see below). They must give individuals copies of their PHI on request, and must alert their covered entity of any violations of protected health information.
Business associates incorporate a wide variety of individuals and entities, including companies that carry out data analysis, process claims, supply administrative services, quality assurance, billing, payment and collections services. Business associates includes professions such as include accountants, consultants, attorneys, data storage firms, and data management companies.
Is HIPAA Applicable to Subcontractors of Business Associates?
HIPAA is also applicable to subcontractors of business associates. If a business associate of a HIPAA covered entity subcontracts any work to a different entity, and that entity must access or use PHI to complete its contracted duties, HIPAA Rules must be adhered to. Therefore, business associates must also complete a business associate agreement with their subcontractors. As is the case with their covered entities, a completed BAA constitutes ‘satisfactory assurances’ that the subcontractor has been advised regarding HIPAA Rules and is aware of its responsibilities with respect to PHI.
Is HIPAA Applicable to Industry Researchers?
Employees of covered entities are not business associates, but what is the situation regarding researchers? Is HIPAA applicable to researchers? HIPAA Rules permit covered entities to disclose PHI to researchers, once their patients have authorized the use and disclosure of their PHI for research purposes. In such instances, PHI can be shared. A business associate agreement is not necessary , although covered entities must complete a data use agreement with the researcher. The data use agreement supplies satisfactory assurances that HIPAA Rules will be adhered with respect to the limited data set given.
Not Every Healthcare Group Must Adhere with HIPAA Regulations
Not all health care groups are obligated to comply with HIPAA rules, despite the fact that they may create, store, maintain, and send the same sort of protected health information as a HIPAA covered entity. HIPAA only applies if groups send PHI electronically for transactions that HHS has implemented standards.
Similarly, many health and medical device producers are not required to adhere with HIPAA Rules, even though health data is recorded, stored, and sent by those devices. Medical device producers and health app developers are only required to adhere with HIPAA Rules if they are a business associate of a covered entity.
Patients should be conscious of the fact that just because health data is gathered, saved, sent, or used by an group, it does not necessarily mean that health and personal data will be governed by HIPAA Rules. Also, breaches of health data at non-HIPAA-covered entities will only require notifications to be issued if the breached information is covered under state breach notification legislation.