If you work in the healthcare industry, you have likely heard of HIPAA. HIPAA stands for the Health Insurance Portability and Accountability ACT, which came about in 1996.
HIPAA refers to the federal regulations put in place to ensure that certain individuals in the healthcare sector keep health records confidential.
In short, it requires that certain health care professionals and businesses put safeguards in place to protect private data.
It also sets limits as to how information can be disclosed. Lastly, it gives patients the right to access their own health records and the right to request revisions to these records.
Ultimately, HIPAA was established by the U.S. Department of Health and Human Services to ensure that healthcare records – specifically protected health information (PHI) – remain private and confidential and are only disclosed on the basis that they are needed for the purposes of delivering health care
It is imperative that all parties comply with these rules. Personal, sensitive information must always be protected.
However, HIPAA is a complex area. The reality is that there are a lot of myths that exist as to who, exactly, must comply with these regulations. The reality is that many healthcare professionals and others are pushed toward software and training when they don’t need to be.
Many pieces of software will state that anyone in the healthcare space has to have HIPAA compliancy. If you look at the actual laws in place, however, you will see that this is not true. This will be covered in more detail below.
While protection of sensitive data is of extreme importance, it is also important for health care providers and business associates understand these regulations fully. With that in mind, this article will cover 6 things you need to know about when it comes to HIPAA.
1. Everyone in the “Health Space” Does NOT Need to Comply with HIPAA
The key point in this article, as alluded to above, is that not everyone in the health space needs to comply with HIPAA, even though there are many pieces of software out there that will suggest otherwise.
HIPAA rules only apply to “covered entities” and business associates, as stated on the U.S. Department of Health and Human Services website, here. Technically speaking, business associates are not even legally obligated to comply, but this will be discussed in more detail below [see section 4 for more detail].
Broadly speaking, the HHS government website specifically states that if an entity does not meet the definition of a covered entity or business associate, it has no responsibility for complying with HIPAA rules.
When various programs suggest that everyone in the health space has to comply, it is not actually based on concrete laws and is therefore misleading, inaccurate information.
That brings us to the question of who, exactly, is considered a covered entity and business associate.
2. Who Is Considered A Covered Entity?
You are considered a covered entity if any of the three categories apply to you or your organization:
- You are a Certain Health Care Provider. Doctors, dentists, clinics, psychologists, chiropractors, nursing homes or pharmacies are considered health care providers but they only have to comply in the event that they transmit data electronically and for which HHS has rules governing it.
In other words, not all who work in the health space – not even all health care providers necessarily need to comply with HIPAA.
- A Health Plan. This includes health insurance companies, company health plans, HMOs and government programs that pay for health care.
- Health Care Clearinghouses. Health care clearinghouses are entities that “process nonstandard health information they receive from another entity into a standard.”
If you have any difficulty over whether or not you are considered a covered entity, you can use this Covered Entity Guidance Tool to determine whether or not you meet the requirements.
3. Understanding What is Private Data Is Actually Subject to HIPAA Compliance Rules
The above point leads us to a discussion of what protected health information (PHI) is actually subject to HIPAA compliance rules. The following list of private data is subject to HIPAA compliance rules:
- A patient’s health or mental condition (past, present or future)
- A patient’s healthcare treatment
- Personal details such as: date of birth, full name, health care number and demographic information
4. Understanding Covered Entities’ “Business Associate’s” Responsibility to Comply with HIPAA
Covered Entities must comply with HIPAA. This is non-negotiable.
However, in recent years, HIPAA has been expanded to state that covered entities’ business associates must also comply with HIPAA (who, exactly constitutes a business associate will be discussed in more detail in part 5).
This was put in place because it is now known that it is not only health care providers that deal with private health information.
For example, most health care providers rely on outside services and businesses to handle their health care data for them, in terms of data storage or through various legal channels.
This is to say that attorneys and tech companies, for example, both of which deal with private health information can be considered business associates (this will be explored more detail below).
What we are getting at here is that there is a lot of murkiness or gray areas as to what legal obligations business associates actually have when it comes to complying with HIPAA.
At the time of this writing, by law, HIPAA compliance rules only apply to covered entities.
This is explicitly stated on the U.S. Department of Health and Human Services website, which you can see here.
However, covered entities still need to take certain precautions and ensure that certain requirements as met regarding their business associates.
The Privacy Rule allows healthcare providers and health care plans to disclose private health information to business associates if the health care providers or health care plans in the following situation below.
Covered entities must “obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”
Again, you can find this information on their website.
The website goes on to say that the covered entity may only disclose this information to a business associate insofar as these services are needed to help the covered entity perform its health care responsibilities.
Covered entities cannot disclose this information to business associates for business associates independent use or purpose (except in the event that it’s needed for management purposes).
As you saw above, it is stated that covered entities must “obtain satisfactory assurances.” This must be communicated in writing and can be in the form of a written contract or a written agreement between both the covered entity and the business associate.
The contract must also meet certain requirements, the details of which will be found here.
Keep in mind that there are exceptions when business contracts do not need to be made and personal health information can still be disclosed.
Here is a sample business associate contract.
5. What Does Not Constitute a “Business Associate?”
A business associate can be a person or entity. A business associate is someone who “performs functions or activities” that involve either the use or disclosure of protected health information OR provides services to a covered entity.
As to the specific people who “perform functions or activities…”, the full list of this refers to can be viewed here, but legal services, accounting services, consulting, financial and other similar services fall into this category.
Here are some concrete examples of what constitutes a business associate.
What Constitutes a Business Associate:
- An attorney provides legal services to a covered entity that involves access to protected health information
What Does Not Constitute a Business Associate:
- Someone who works in the covered entity’s workplace
This is a list of frequently asked questions regarding business associates.
6. Stay On Track of Updates
Additions or changes to HIPAA policies are sometimes made. As you saw above, business associates were not always included in HIPAA regulations.
To ensure that all relevant parties are complying with federal regulations as to private health information, we would recommend that you make a point to stay up to date on any changes from time to time.
This will ensure that you are not making any involuntary violations and that you are protected.
The Bottom Line
The protection of personal health information is of utmost importance and must be prioritized by those handling this sensitive information.
At the same time, individuals and entities dealing with this information must understand their rights so that they do not needlessly invest time and resources into software and training when they do not need to.
At the time of this writing, not everyone in the health space is required to comply with HIPAA. Legally speaking, only covered entities are required to do so.
Yocale, the leading online scheduler for appointment-based businesses, offers secure, encrypted cloud data storage that meets the safeguards as specified by HIPAA.
For more detailed information on the safeguards we take with respect to HIPAA, click here.
Disclaimer: This article is not intended to constitute legal advice.