The Health Insurance Portability and Accountability Act (HIPAA) applies to everyone as individuals in that everyone has personally identifiable health information that they have the right to inspect and request corrections to. However, HIPAA only directly regulates covered entities, which include health plans, health care clearinghouses, and health care providers who electronically transmit health information in connection with certain transactions. These covered entities must comply with HIPAA rules to protect health information privacy and security.
Characteristics | Values |
---|---|
Who does HIPAA apply to? | Everyone as individuals, majority of workers, most health insurance providers, employers who sponsor or co-sponsor employee health insurance plans, health plans, health care clearinghouses, qualifying healthcare providers, and business associates. |
Who is not required to follow HIPAA? | Life insurance companies, law enforcement agencies, most schools and school districts, health data aggregators, personal health fitness devices and apps, municipal offices and state agencies, websites that provide health information, and people who conduct screenings at pharmacies and shopping centres. |
What You'll Learn
Who is a HIPAA-covered entity?
The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and their business associates. There are three types of covered entities under HIPAA:
- Health Care Providers: Doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that provide health care in exchange for payment. Health care providers must comply with HIPAA if they transmit health information electronically in connection with covered transactions.
- Health Plans: Health insurance companies, health maintenance organizations (HMOs), group health plans sponsored by an employer, government-funded health plans (such as Medicare and Medicaid), and other companies or arrangements that pay for health care.
- Health Care Clearinghouses: Entities that process information so that it can be transmitted in a standard format between covered entities. Clearinghouses often act as intermediaries between health care providers and health plans, facilitating the exchange of information for insurance purposes.
Business associates are individuals or entities that work with covered entities and have access to protected health information (PHI). They are required to sign a HIPAA-compliant business associate agreement, agreeing to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Business associates include companies providing data analysis, processing claims, administrative services, billing, and more.
It is important to note that not everyone who handles health information is required to comply with HIPAA. Some examples of organizations that are not covered by HIPAA include workers' compensation insurers, most schools and school districts, law enforcement agencies, and municipal offices.
HIPAA Laws: Pandemic Exception or Rule?
You may want to see also
Who is not required to follow HIPAA?
While HIPAA applies to everyone as individuals, as it gives them the right to inspect their health information and request corrections, it does not apply to all organisations.
The following are not required to follow HIPAA:
- Workers' compensation carriers
- Most schools and school districts
- Many state agencies, like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
- Life insurance companies
- Public agencies that deliver social security or welfare benefits
- Employers (unless they are otherwise considered covered entities)
- Agencies that deliver social security and welfare benefits
- Automobile insurance plans that include health benefits
- Search engines and websites that provide health or medical information and are not operated by a covered entity
- Gyms and fitness clubs
- Direct-to-consumer (DTC) genetic testing companies
- Many mobile applications (apps) used for health and fitness purposes
- Those who conduct screenings at pharmacies, shopping centres, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions
- Certain alternative medicine practitioners
- Researchers who obtain health data directly from healthcare providers
- Courts, where health information is material to a case
HIPAA Laws: Do They Apply to Sober Living Environments?
You may want to see also
What information is protected?
The Health Insurance Portability and Accountability Act (HIPAA) protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. This includes:
- Demographic data such as name, address, birth date, and Social Security Number.
- Information relating to an individual's past, present, or future physical or mental health condition, the provision of their health care, and the past, present, or future payment for their health care.
- Information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
The Privacy Rule excludes from protected health information:
- Employment records that a covered entity maintains in its capacity as an employer.
- Education records and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act.
- Health information regarding a person who has been deceased for over 50 years.
- De-identified data, which is health information that has had 18 specific identifiers removed.
Protected health information (PHI) also covers any combination of health information and identifiers created, received, maintained, or transmitted by a covered entity. This includes information that could be used to identify the subject of the health information, such as an individual's LGBTQ status, information about their emotional support animal, and contact information for a family member, when maintained in the same designated record set.
Covered entities under HIPAA include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with covered transactions. Business associates of covered entities must also comply with parts of the HIPAA regulations and are required to sign a HIPAA-compliant business associate agreement.
Understanding Texas Cottage Food Laws and Dry Seasonings
You may want to see also
What rights does the Privacy Rule give individuals over their health information?
The Privacy Rule gives individuals several rights over their health information. These rights include:
- The right to ask to see and get a copy of their health records.
- The right to have corrections added to their health information.
- The right to receive a notice that explains how their health information may be used and shared.
- The right to decide whether to give permission for their health information to be used or shared for certain purposes, such as marketing.
- The right to request that a covered entity restrict how it uses or discloses their health information.
- The right to get a report on when and why their health information was shared for certain purposes.
The Privacy Rule, a Federal law, gives individuals rights over their health information and sets rules and limits on who can look at and receive it. It applies to all forms of individuals' protected health information, be it electronic, written, or oral.
HIPAA Laws: Do They Apply to Dentists?
You may want to see also
How is HIPAA enforced?
The Health Insurance Portability and Accountability Act (HIPAA) is enforced by the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). The OCR enforces HIPAA's Privacy and Security Rules, which were issued in 2003 and 2005, respectively.
The OCR enforces these rules in several ways:
- Investigating complaints filed with it.
- Conducting compliance reviews to determine if covered entities are in compliance.
- Performing education and outreach to foster compliance with the Rules' requirements.
- Working with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.
The OCR's enforcement process begins with an investigation of potential HIPAA Privacy or Security Rule violations. The OCR responds to individual complaints but may also discover HIPAA violations through other means, such as conducting audits. After the investigation, the OCR can resolve an issue by determining there is no violation, entering into a resolution agreement with the responsible party, or finding that the party is in violation and assessing penalties.
If a complaint describes a potential criminal violation of HIPAA, the OCR may refer the complaint to the DOJ for investigation.
The HIPAA Enforcement Rule allows the OCR to investigate potential HIPAA violations and assess civil monetary penalties (CMPs) for violations. State attorneys general also have the authority to enforce the HIPAA rules. However, individuals do not have a private right of action under HIPAA and cannot sue for a violation.
Deer Hunting Laws: Private Property Exemptions and Exceptions?
You may want to see also
Frequently asked questions
HIPAA applies to everyone as individuals in that everyone has personally identifiable health information that they have the right to inspect and request corrections to. It also applies to certain types of organizations, including health insurance companies, health maintenance organizations, government healthcare programs, healthcare clearinghouses, and business associates and their subcontractors.
HIPAA is not required for everyone and is not just for medical practitioners. Entities that do not need to follow HIPAA include life insurance companies, law enforcement agencies, schools and school districts, health data aggregators, personal health fitness devices and apps, municipal offices, and state agencies not involved in healthcare services.
A HIPAA business associate is an individual or entity that performs functions on behalf of a HIPAA-covered entity that involve the use or disclosure of protected health information. Business associates include companies that conduct data analysis, process claims, provide administrative services, and offer billing, payment, and collection services. They are required to sign a HIPAA-compliant business associate agreement, which details the elements of HIPAA rules that must be complied with.
A HIPAA-covered entity is an individual, organization, or business that must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. Covered entities include healthcare providers, health plans, and healthcare clearinghouses.