Hipaa Laws: Do Private Citizens Need To Comply?

do hipaa laws apply to private citizens

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes baseline privacy and security standards for medical information. HIPAA applies to covered entities and their business associates, which include healthcare providers, health plans, and healthcare clearinghouses. These entities are bound by privacy standards even if they contract with others to perform essential functions. While HIPAA does not protect all health information and does not apply to every person who may access or use health information, it is important to understand its scope and limitations as a patient. Individuals do not have the right to sue under HIPAA, but violations can result in criminal prosecution and penalties.

Characteristics Values
Who must comply with HIPAA? Covered entities, business associates, subcontractors, and hybrid entities
Who isn't required to comply with HIPAA? Life and long-term insurance companies, workers' compensation insurers, administrative agencies, employers, agencies that deliver social security and welfare benefits, automobile insurance plans with health benefits, search engines and websites that provide health or medical information and are not operated by a covered entity, gyms and fitness clubs, direct-to-consumer (DTC) genetic testing companies, many mobile applications (apps) used for health and fitness purposes, those who conduct screenings at public places, certain alternative medicine practitioners, most schools and school districts, researchers who obtain health data directly from healthcare providers, most law enforcement agencies, many state agencies, and courts
What information does HIPAA cover? "Health information" created or received by a healthcare provider, health plan, public health authority, employer, life insurance company, school or university, or healthcare clearinghouse relating to an individual's past, present, or future physical or mental health, treatment provided, or payment for healthcare
What information isn't covered under the HIPAA Privacy Rule? Health information in employment records, health information in education records, health information regarding a person who has been deceased for over 50 years, and de-identified data

lawshun

Who must comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets out baseline privacy and security standards for medical information. The US Department of Health and Human Services (HHS) is responsible for creating and enforcing rules to implement HIPAA.

HIPAA applies to "covered entities" and their "business associates". There are three types of covered entities:

  • Health care providers: Doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that provide health care in exchange for payment. These providers must comply with HIPAA if they transmit health information electronically in connection with covered transactions, such as processing claims and receiving payments.
  • Health plans: Health insurance companies, health maintenance organizations (HMOs), group health plans sponsored by employers, government-funded health plans (e.g. Medicare and Medicaid), and other companies or arrangements that pay for health care.
  • Health care clearinghouses: These entities process information so that it can be transmitted in a standard format between covered entities. They often act as intermediaries between health care providers and health plans, rarely dealing directly with patients.

Business associates are individuals or entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or another business associate acting as a subcontractor. They perform various services for covered entities, including administrative accreditation, processing or administering claims, and certain patient safety activities.

Covered entities must execute written contracts with their business associates to ensure compliance with HIPAA standards. Business associates are directly liable for violations of the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule, making them subject to HHS audits and penalties.

While HIPAA does not protect all health information, it is important to note that it only applies to covered entities and their business associates. There are numerous individuals and entities that handle health information but are not covered under HIPAA, such as life and long-term insurance companies, agencies delivering social security and welfare benefits, gyms and fitness clubs, researchers who obtain health data directly from healthcare providers, and most schools and school districts.

lawshun

Who isn't required to comply with HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, applies to "covered entities" and their business associates. Covered entities include:

  • Health care providers who conduct certain financial and administrative transactions electronically
  • Health plans, such as health insurance companies, health maintenance organizations, and government-funded health plans
  • Health care clearinghouses, which process information so that it can be transmitted between covered entities

Business associates are third parties that perform functions or activities that require the use of personal health information. This includes entities that provide data transmission of personal health information on behalf of a covered entity and require routine access to this data, such as regional Health Information Organizations (HIOs).

  • Life and long-term insurance companies
  • Workers' compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities)
  • Agencies that deliver Social Security and welfare benefits
  • Automobile insurance plans that include health benefits
  • Search engines and websites that provide health or medical information and are not operated by a covered entity
  • Gyms and fitness clubs
  • Direct-to-consumer (DTC) genetic testing companies
  • Mobile applications used for health and fitness purposes
  • Certain alternative medicine practitioners
  • Most schools and school districts
  • Researchers who obtain health data directly from healthcare providers
  • Most law enforcement agencies
  • Many state agencies, like child protective services
  • Courts, where health information is material to a case

lawshun

What information does HIPAA cover?

The Health Insurance Portability and Accountability Act (HIPAA) covers the privacy of individually identifiable health information. This includes any information that relates to:

  • An individual's past, present, or future physical or mental health condition.
  • The provision of health care to an individual.
  • The past, present, or future payment for the provision of health care to an individual.

This information is classed as protected health information (PHI) when it contains identifiers that could allow a patient or health plan member to be identified. This includes demographic data such as name, address, date of birth, and Social Security number.

HIPAA also covers any information maintained in the same designated record set that could be used to identify the individual to whom the health information relates. This is why items sometimes classified as PHI have nothing to do with the individual's health (e.g., IP addresses, vehicle registration numbers, email addresses, etc.).

The HIPAA Privacy Rule applies to all forms of health information, including paper records, films, and electronic health information—even spoken information. It is important to note that HIPAA does not cover health information in employment records or education records (for the most part). De-identified data, or health information about a person who has been deceased for over 50 years, is also not covered by HIPAA.

In addition to protecting health information, HIPAA also covers health care providers, health plans, health care clearinghouses, and business associates of HIPAA-covered entities. Healthcare providers include hospitals, clinics, physicians, nursing homes, pharmacies, chiropractors, dentists, and psychologists. Health plans include health insurers, company health plans, HMOs, and government programs such as Medicaid and Medicare. Healthcare clearinghouses are organizations that transform non-standard health data into a standard format. A business associate is an individual or entity that performs functions for a HIPAA-covered entity that requires the use or disclosure of PHI.

lawshun

How does the US Department of Health and Human Services enforce HIPAA?

The US Department of Health and Human Services (HHS) enforces HIPAA through its Office for Civil Rights (OCR). The OCR enforces the Privacy and Security Rules, which were issued in 2003 and 2005, respectively. The Privacy Rule establishes national standards for the protection of health information, while the Security Rule sets standards for safeguarding electronic protected health information.

The OCR enforces these rules through investigations and compliance reviews, as well as by imposing civil monetary penalties for violations. Individuals can file a complaint with the OCR if they believe their rights under HIPAA have been violated. The OCR will then investigate the complaint and determine whether there has been a violation. If a violation is found, the OCR can resolve the issue through a resolution agreement or by imposing penalties.

The penalties for violations of HIPAA depend on the date of the violation and the level of culpability of the violator. The maximum penalty is $1.5 million per year for violations of the same HIPAA provision. The OCR may also refer matters to a hearing before an administrative law judge.

In addition to the OCR, state attorneys general also have the authority to enforce HIPAA rules. However, individuals do not have a private right of action to sue under HIPAA.

lawshun

Can individuals sue under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes baseline privacy and security standards for medical information. It is enforced by the U.S. Department of Health and Human Services (HHS), which can investigate potential violations and impose civil monetary penalties.

While HIPAA violations are handled by the HHS, individuals do not have a private right of action to sue under HIPAA. However, this does not preclude individuals from taking legal action against healthcare providers and covered entities for violations of state laws. In some states, it is possible to file a lawsuit on grounds of negligence or breach of an implied contract if a covered entity has failed to protect medical records. To succeed in such cases, it is necessary to prove that harm or damage was caused by the negligence or theft of unsecured personal information.

Additionally, state attorneys general can pursue cases against covered entities for HIPAA violations, and individuals can speak to them about pressing criminal charges. Criminal charges for HIPAA violations are typically filed by state attorneys against individual actors rather than organizations. These criminal charges can result in several years of jail time, probation, and other penalties, including the loss of the ability to work in the medical field.

While individuals cannot directly sue under HIPAA, they can join class-action lawsuits, which have been increasingly filed for protected health information data breaches. These lawsuits claim damages for future harm due to stolen data, but the chances of success are reduced without evidence of actual harm.

Frequently asked questions

HIPAA applies to covered entities and their business associates. Covered entities include health care providers, health plans, and health care clearinghouses. Business associates are entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity.

HIPAA covers "health information" created or received by a covered entity that relates to an individual's past, present, or future physical or mental health, treatment provided, or payment for healthcare. This includes electronic, oral, and paper records.

While private citizens cannot be prosecuted under HIPAA, they may be subject to other legal consequences depending on the state. For example, in some states, a HIPAA violation can establish a violation of the standards of care for negligence.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment