Who Does HIPAA Apply To?

Table of Content(s)

1. Introduction
2. What is a covered entity under HIPAA?
3. What is a Business Associate under HIPAA?
4. What Types of Information Are Covered Under HIPAA’s Privacy Rule?
5. Requirements for Use and Disclosure of Private Health Information
6. As an Employee or Supervisor, What Can You Do To Ensure Compliance? 
7. Conclusion

HIPAA also known as the Health Insurance Portability and Accountability Act is a federal law, passed by the US government on the 21st of August, 1996. There are over 629 healthcare regulations in place, and navigating through each one of them precisely, can be difficult. 

This important law protects patient privacy and ensures complete confidentiality of patient information. But who does HIPAA apply to? The answer to this question depends on whether your business or organization meets the criteria of hipaa compliance or not. 

In this comprehensive guide, we will explore the different bodies and individuals that HIPAA applies to. So brace up as we go through the specifics of this policy.

 

What is a covered entity under HIPAA?

A covered entity under HIPAA refers to organizations and individuals that complies with this policy in order to protect patient data. For your understanding, we have listed down the top covered entities, under each domain. 

1. Healthcare Providers

• Doctors
• Clinics
• Dentists
• Chiropractors
• Nursing homes
• Pharmacies

2. Health Plans

• Health insurance companies
• HMOs (Health Maintenance Organizations)
• Company health plans
• Government programs that pay for healthcare (Medicare and Medicaid)

 

What is a Business Associate Under HIPAA?

A business associate under HIPAA is a person or a body that deals with the usage and misuses of protected health information (PHI). These business associates are mostly service providers offering aid to covered entities. They play a critical role in supporting healthcare organizations covered under HIPAA compliance. 

These are some business associates that fall under HIPAA:

• Third-Party Administrators: Handle claims processing for health plans.
• Billing Companies: Manage billing and collection services for healthcare providers.
• IT Service Providers: Offer data storage, cloud computing, or other technology solutions that involve PHI.
• Law Firms: Provide legal services to covered entities, especially when accessing PHI.
• Consultants: Offer advisory services that require access to PHI.
• Accountants: Perform financial audits or other accounting services for healthcare entities.
• Shredding Companies: Dispose of documents containing PHI securely.
• Transcription Services: Convert voice-recorded medical reports into written text.

Business associates must enter into a Business Associate Agreement (BAA) with the covered entity. A Business Associate Agreement (BAA) outlines their responsibilities and ensures complete protection of PHI.

 

What Types of Information Are Covered Under HIPAA’s Privacy Rule?

The HIPAA Privacy Rule protects all “protected health information”. This includes a wide range of personal health data. PHI is any information that can identify an individual and relates to their past, present, or future physical or mental health condition. It also helps identify the provision of healthcare, or the payment for healthcare. Here are the main types of information covered:

1. Personal Identifiers:

• Names
• Addresses (including street, city, county, zip code, and equivalent geocodes)
• Dates (except year) directly related to an individual, including birth date, admission date, discharge date, and date of death
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URLs
• Internet Protocol (IP) addresses
• Biometric identifiers, including fingerprints and voiceprints
• Full-face photographs and any comparable images
• Any other unique identifying number, characteristic, or code

2. Medical Information:

• Diagnoses
• Treatment information
• Medical histories
• Medication lists
• Test results
• Progress notes
• Hospital discharge summaries

3. Payment Information:

• Billing information
• Insurance information
• Payment records

Read More: What Is The Purpose of HIPAA in 2024?

 

Requirements for Use and Disclosure of Private Health Information

The Health Insurance Portability and Accountability Act has a few regulations in place related to the use and disclosure of PHI. The rules are placed to protect the privacy of patients, without having to compromise the necessary use of data to deliver better service to people in need. 

The rules are subdivided into, General Requirements, Permitted Uses & Disclosures, Required Disclosures, Safeguards & Compliance and Patient Rights. 

Let’s explore the subdivisions in depth.

1. General Requirements

• Use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose.
• Obtain written authorization from the patient for uses and disclosures of PHI not otherwise permitted or required by HIPAA.

2. Permitted Uses & Disclosures

• Protected Health Information can be used and disclosed only when there’s a need to provide, coordinate or manage healthcare. Also on occasions of payment and billing issues, PHI can be used and disclosed. 
• PHI can also be used and disclosed for the benefit of people. But it is important to seek authorization for that. Without authorization, PHI can be used and disclosed in cases of:
• Public health activities (e.g., disease control, reporting adverse reactions to medications)

• Victims of abuse, neglect, or domestic violence

• Health oversight activities (e.g., audits, investigations)

• Judicial and administrative proceedings (in response to a court order or subpoena)

• Law enforcement purposes

• Research purposes (under certain conditions)

• To avert a serious threat to health or safety
• Specialized government functions (e.g., military, national security)
• Workers’ compensation
• In cases of incidental disclosures, an immediate reasonable safeguard should be implemented in place. 

3. Required Disclosures

• Upon request, individuals have the right to access their PHI.
• PHI must be disclosed to HHS (Health and Human Services) for compliance investigations.

4.  Safeguards & Compliance

• For administrative safeguards implement policies and procedures to manage the selection, development, implementation, and maintenance of security measures.
• For physical safeguards control physical access to protect against inappropriate access to PHI.
• For technical safeguards, use technology to protect and control access to PHI.

5. Patient Rights

• Patients have the right to access and obtain a copy of their PHI.
• They can request corrections to their PHI.
• Patients can request a list of disclosures of their PHI made by the covered entity.
• Patients can request restrictions on the use or disclosure of their PHI.
• They can also request that communications about their PHI be made in a certain way or at a certain location.

Read More:Most Common HIPAA Violations You Should Avoid

 

As an Employee or Supervisor, What Can You Do To Ensure Compliance? 

Ensuring compliance with HIPAA regulations is a critical responsibility for both employees and supervisors. By following these guidelines you can protect patient privacy and secure sensitive health information. 

If you are an employee, follow these steps to ensure HIPAA compliance:

• Familiarize yourself with your organization’s HIPAA policies and procedures.
• Participate in mandatory HIPAA training sessions and stay updated on any changes.
• Only access patient information necessary for your job duties.
• Ensure that physical and electronic records are secured and not left unattended.
• Discuss patient information in private areas to avoid unauthorized disclosure.
• Immediately report any suspected HIPAA violations or security breaches to your supervisor or compliance officer.

Follow these steps to ensure HIPAA compliance, if you are a supervisor:

• Provide ongoing HIPAA training for employees and ensure new hires receive initial training.
• Regularly review employee access and usage of PHI to ensure everyone is following the guidelines.
• Develop and implement comprehensive HIPAA policies and procedures within your department.
• Ensure all electronic systems comply with HIPAA security standards. This includes encryption and secure access controls.
• Create an environment where employees feel comfortable reporting potential HIPAA violations without fear of consequences.
• Conduct periodic audits and risk assessments. This will help identify and address potential risks in PHI handling and storage.

Conclusion

To properly understand, “who does HIPAA apply to”, it is important to start familiarizing yourself with the regulations under HIPAA. Once done, you can ensure if an organization or individual is compliant with HIPAA or not. HIPAA primarily looks after three main categories of entities: healthcare providers, health plans, and healthcare clearinghouses. These entities should maintain strict guidelines and use or disclose PHI with compliance and clear intentions. 

Whether you are a professional managing patient records or a third party service provider dealing with PHI, HIPAA compliance is not just a legal requirement. By understanding and following these rules, healthcare businesses implement trust and reliability within the system.