Who Needs to be HIPAA Compliant?

HIPAA compliant

The term “HIPAA” is now commonly known and is thrown around a lot, even in everyday life. How do we know exactly who and what HIPAA actually applies to?

Who needs to be concerned with HIPAA?

While it is good for everyone to have a baseline understanding of how HIPAA works, the organizations that need to be especially aware are called HIPAA covered entities.

The term HIPAA Covered Entities is defined as the following entities who transmit protected health information (PHI) physically or electronically to carry out financial or administrative activities related to healthcare:

  • Health plans: insurance companies, Medicare
  • Healthcare clearinghouses: Insurance claims processing, billing, coding
  • Healthcare providers: clinics, hospitals, surgery centers

This sounds simple enough, but unfortunately it is a little more complex. Not all health plans and healthcare providers are covered entities, and conversely, some entities beyond this definition are required to comply with HIPAA rules.

There are a few exceptions, such as:

  • Self-funded and self-administered employer health plans with fewer than 50 participants.
  • Healthcare providers who do not transmit PHI electronically.

There are other times when entities and third-party services are required to comply with HIPAA rules. One notable third party category is known as business associates (BAs). A business associate is defined as:

“A person or organization that performs a function or activity on behalf of a covered entity but is not part of the covered entity’s workforce. A person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of a function or activity for the covered entity.”

What are some examples of BAs in healthcare?

  • An IT consultant working with the electronic health record.
  • An attorney who accesses medical records for a case.
  • A third-party billing service for a busy ED.
  • An independent medical transcriptionist working for a clinic.

Some business associates may not be as obvious, but if they have access to protected health information in any capacity, then they need to be termed a BA and sign a BA agreement before starting work. The BA agreement confers the same HIPAA responsibilities to the BA that the covered entity has.

What about subcontractors to business associates?

The answer is yes – if the subcontractor has access to PHI. The healthcare ecosystem is complex, and subcontractors and independent workers associated with business associates means that people whom the covered entity are not aware of have access to PHI. To protect against this, business associates have the responsibility to inform subcontractors of HIPAA guidelines and enter into a separate BA agreement with them.

What about researchers?

There is more healthcare data created each day than in any other industry. It would be a shame to have all of this Big Data at our fingertips without being able to use it to improve care – which is what researchers are doing.

HIPAA allows for three different scenarios for research:

  1.  Covered entities can disclose PHI to researchers, provided that their patients have also authorized the use and disclosure of their PHI for research purposes. This situation does not require a business associate agreement.
  2. In another scenario, the data disclosed must be part of a limited data set, meaning that it is not the entire health record, but specific data elements that are sharable for research activities, public health activities, and healthcare operations without obtaining prior authorization from patients.
  3. De-identified data. Data that is not associated with any patient identifiers, such as name, number, date of birth, etc. can be used for research and analysis and is not considered PHI under HIPAA.

To wrap it up- covered entities, business associates, subcontractors, and researchers  – and their employees – need to be educated and compliant with HIPAA. A good program will involve training for all employees upon hire, as well as annual updates and refresher courses. Some organizations also do random checks throughout the business to make sure that processes are being followed and that employees are using good PHI practices.

Protecting patient privacy is important – and we at FormDr take our job seriously. As the provider of forms that contain sensitive PHI, HIPAA compliance is at the front of what we do. Need more HIPAA resources? Check out our other blog posts and feel free to contact us with questions about products and HIPAA compliance.