Hipaa Laws: Do They Apply To Businesses?

do hipaa laws apply to businesses

The Health Insurance Portability and Accountability Act (HIPAA) applies to businesses in certain circumstances. HIPAA is a substantial piece of legislation passed by the US Congress in 1996, addressing the portability of health insurance and the accountability of group health plans to provide benefits when members have pre-existing conditions. It also allows for necessary information sharing to ensure individuals receive access to high-quality health care, while also protecting their right to privacy.

HIPAA applies to covered entities and business associates. Covered entities include health plans, health care providers, and health care clearinghouses. Business associates are individuals or businesses that provide services to or work with covered entities or other business associates. If a business associate performs services for a covered entity that involve the use or disclosure of protected health information (PHI), their contract will contain provisions relating to HIPAA.

lawshun

What is a covered entity?

The HIPAA Privacy Rule applies only to covered entities. Many organizations that use, collect, access, and disclose individually identifiable health information will not be covered entities and will not have to comply with the Privacy Rule.

Covered entities are defined in the HIPAA rules as:

  • Health plans: This includes health insurance companies, HMOs, employer-sponsored health plans, and government programs that pay for health care, like Medicare, Medicaid, and military and veterans' health programs.
  • Health care clearinghouses: These are entities that process non-standard health information they receive from another entity into a standard format or vice versa.
  • Health care providers: This includes hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan.

To be a covered entity, these entities must electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage.

Covered entities can be institutions, organizations, or persons. Researchers can also be covered entities if they are healthcare providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard.

If a covered entity engages a business associate to help carry out its healthcare activities and functions, it must have a written contract that establishes the tasks the business associate has been engaged to do and requires them to comply with HIPAA.

lawshun

What is a business associate?

A business associate is a third-party organization or individual that is contracted by a covered entity to perform essential functions or provide services that involve the use or disclosure of protected health information (PHI). This means that if a third-party organization can access PHI as part of its delegated work, it is considered a business associate.

Covered entities, such as doctors, clinics, hospitals, and insurance companies, are responsible for safeguarding PHI under HIPAA. Business associates do not have direct contact with patients but may maintain or have access to their healthcare data. This includes physical copies of medical records, data sent electronically or via mail, financial information used by third-party billing companies, and patient information stored on cloud-based servers.

Examples of business associates include:

  • Software companies with access to PHI
  • Third-party claims processors
  • Companies in collections or claims processing
  • Third-party administrators
  • Pharmacy benefit managers
  • Patient safety or accreditation organizations
  • Medical transcription companies
  • Accreditation companies
  • Data processing firms or software companies that may be exposed to PHI
  • Medical equipment services companies that handle equipment containing PHI
  • Professional translators
  • Consultants
  • Healthcare clearinghouses that translate claims from non-standard to standard formats
  • External auditors or accountants
  • Shredding and/or documentation storage companies
  • E-prescribing services

It is important to note that even individual subcontractors and vendors of designated business associates are considered business associates if they create, receive, maintain, or send PHI on behalf of the parent organization. These business associates must be compliant with HIPAA, as outlined in the Omnibus Rule of 2013.

lawshun

What are the compliance requirements?

Compliance Requirements

The compliance requirements for HIPAA are extensive and detailed, and they apply to "covered entities" and "business associates" in different ways.

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information in electronic form. These entities are required to comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

Business associates are individuals or organisations that provide services for or on behalf of covered entities and are generally required to comply with the Security Rule and Breach Notification provisions, §164.500(c) of the Privacy Rule, and any parts of the Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.

The compliance requirements for covered entities and business associates are outlined below:

Covered Entities

  • Develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.
  • Designate a privacy official responsible for developing and implementing privacy policies and procedures and a contact person responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices.
  • Train all workforce members on privacy policies and procedures and apply appropriate sanctions for violations.
  • Mitigate any harmful effects caused by the use or disclosure of protected health information by the workforce or business associates in violation of privacy policies and procedures or the Privacy Rule.
  • Maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent the use or disclosure of protected health information in violation of the Privacy Rule.
  • Have procedures in place for individuals to complain about compliance with privacy policies and procedures and the Privacy Rule.
  • Provide a notice of privacy practices to individuals, explaining how the covered entity may use and disclose protected health information and outlining individuals' rights.
  • Allow individuals to request an alternative means or location for receiving communications of protected health information.
  • Provide individuals with the right to review and obtain a copy of their protected health information, request corrections if errors exist, and transfer their protected health information to another provider.
  • Give individuals the right to an accounting of disclosures of their protected health information.

Business Associates

  • Respect HIPAA requirements to comply with the applicable Administrative Simplification provisions of the Security and Breach Notification Rules and any Administrative Requirements or Privacy Rule provisions stipulated in a Business Associate Agreement.
  • Comply with the Security Rule, which includes:
  • Protecting against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information (ePHI).
  • Protecting against any reasonably anticipated uses or disclosures of protected health information that are not permitted by the Privacy Rule.
  • Ensuring compliance with the Security Rule by workforce members.
  • Comply with the Breach Notification Rule, which includes:
  • Notifying individuals, the relevant federal agency, and local media (in some cases) when a breach of unsecured protected health information occurs.
  • Establishing whether a breach is reportable by conducting a risk assessment.

lawshun

What are the penalties for non-compliance?

Non-compliance with HIPAA can result in civil and criminal penalties. The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. In the case of non-compliance, OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective action, and/or a resolution agreement. Failure to comply with HIPAA can also result in civil and criminal penalties.

Civil Penalties

There are four tiers of civil penalties for HIPAA violations, ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million. The specific penalty is determined based on the nature and extent of the violation, the harm resulting from the violation, and aggravating or mitigating factors. Aggravating factors include the number of individuals affected, the financial condition of the covered entity, and the size of the entity. Mitigating factors include whether the violation caused harm and the covered entity's history of prior compliance or non-compliance.

Criminal Penalties

Criminal violations of HIPAA are handled by the Department of Justice (DOJ). Criminal penalties for HIPAA violations can result in fines of up to $50,000 and imprisonment of up to one year. If the violation is committed under false pretenses, the penalties increase to a $100,000 fine and up to five years in prison. If the violation involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the penalties further increase to a $250,000 fine and up to 10 years in prison.

lawshun

What are the rules for employers?

HIPAA, or the Health Insurance Portability and Accountability Act, applies to employers in certain circumstances. The law protects the privacy of individually identifiable health information. It is important for employers to understand these circumstances to avoid violations of HIPAA.

The rules for employers depend on whether they are considered a "covered entity" or a "business associate".

Covered Entities

Covered entities include healthcare providers, hospitals, employer-sponsored health plans, pharmacies, insurance companies, insurance plans, and clearinghouses. The US Department of Health and Human Services maintains a complete list of covered entities.

Covered entities must adopt written PHI privacy procedures, designate a privacy officer, require their business associates to sign agreements respecting the confidentiality of PHI, train employees in privacy rule requirements, give patients written notice of the covered entities' privacy practices, and provide patients with access to their medical records. They must also give patients the chance to request modifications to the records, request restrictions on the use or disclosure of their information, request an accounting of any use to which the PHI has been put, and request alternative methods of communicating information.

Covered entities must also establish a process for patients to use in filing complaints and for dealing with complaints. Finally, they must take any measures necessary to ensure that PHI is not used for making employment or benefits decisions, marketing, or fundraising.

Covered entities must also comply with the Privacy Rule, which controls how a health plan or a covered health care provider shares an individual's protected health information with an employer. The Privacy Rule does not protect employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.

Business Associates

Business associates are organisations or individuals that do business with covered entities and handle or process patients' protected health information in some way. Business associates are required to abide by HIPAA regulations and are directly liable for compliance with certain provisions of the HIPAA Rules.

If a covered entity engages a business associate, it must have a written contract or other arrangement that establishes what the business associate has been engaged to do and requires the business associate to comply with the Rules' requirements to protect the privacy and security of protected health information.

Non-Covered Entities

Non-covered entities are generally not covered by HIPAA and are therefore not required to abide by the strict privacy and security regulations included in the law. However, they likely have some privacy and security obligations under other federal laws, such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA).

One unique circumstance under which non-covered entities should be aware of the law's requirements is if they provide a self-funded health insurance plan. In this case, they are technically operating a covered entity (the health plan itself), and so the health insurance plan is subject to all of the requirements in HIPAA, while the primary business is not.

Another way employers may come into contact with an employee's PHI is through workers' compensation claims. In these instances, clinical documentation from medical appointments might be required to support the claim, and employers would need access to that information. However, just because an employer can access this data does not necessarily mean HIPAA applies.

Common Employer HIPAA Violations

Common employer HIPAA violations include hacking/IT incidents, theft/loss, unauthorised access/disclosure, and improper disposal of PHI.

Civil and Criminal Penalties for HIPAA Violations

Civil penalties for HIPAA violations can exceed $50,000 per violation. Violations committed with malicious intent could result in criminal charges—in the most egregious cases, up to 10 years in prison and $250,000 in fines.

Frequently asked questions

No, HIPAA laws do not apply to all businesses. The Health Insurance Portability and Accountability Act (HIPAA) laws apply to "covered entities" and their "business associates". Covered entities include health plans, health care providers, and health care clearinghouses. Business associates are individuals or businesses that provide services to or work with covered entities or other business associates.

Examples of covered entities include health insurance companies, HMOs, company health plans, government programs such as Medicare and Medicaid, doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.

Examples of business associates include companies that help health providers get paid, such as billing companies, companies that help administer health plans, lawyers, accountants, IT specialists, and companies that store or destroy medical records.

Covered entities must have contracts in place with their business associates to ensure proper use, disclosure, and safeguarding of health information. Business associates must also have similar contracts with subcontractors. They must follow the use and disclosure provisions of their contracts, the Privacy Rule, and the safeguard requirements of the Security Rule.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment