Hipaa Laws: Who Are They Really For?

do hippa laws apply to non medical persons

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy standards for protected health information. The law applies to covered entities and their business associates, which include health plans, health care providers, and health care clearinghouses. These entities are required to comply with HIPAA if they transmit health information electronically in connection with certain transactions. While HIPAA protects sensitive health information from disclosure without a patient's consent, it does not apply to every person who may handle health information. For example, life insurance companies, workers' compensation insurers, and most schools are not required to follow HIPAA regulations.

Characteristics Values
Who must comply with HIPAA Covered entities and their business associates
What is a covered entity? Health care providers, health plans, and health care clearinghouses
What is a business associate? A non-member of a covered entity's workforce using individually identifiable health information to perform functions for a covered entity
Who isn't required to comply with HIPAA? Life and long-term insurance companies, workers' compensation insurers, administrative agencies, employers, agencies that deliver Social Security and welfare benefits, automobile insurance plans that include health benefits, search engines and websites that provide health or medical information and are not operated by a covered entity, gyms and fitness clubs, direct-to-consumer genetic testing companies, mobile applications used for health and fitness purposes, certain alternative medicine practitioners, most schools and school districts, most law enforcement agencies, many state agencies like child protective services, courts
What information does HIPAA cover? "Health information" is any information (including genetic information) that is created or received by a health care provider, health plan, public health authority, employer, life insurance company, school or university, or health care clearinghouse and relates to the individual's past, present, or future physical or mental health or condition; treatment provided to an individual; or past, present, or future payment for healthcare an individual receives
What information isn't covered under the HIPAA Privacy Rule? Health information in employment records, health information in education records, health information regarding a person who has been deceased for over 50 years, de-identified data

lawshun

Who Must Comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to everyone as individuals, as everyone has personally identifiable health information that they have the right to inspect and request corrections for when errors or omissions exist.

HIPAA also applies to certain types of organizations, depending on which section of HIPAA is being reviewed. The legislation addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans.

The Privacy Rule, a Federal law, gives individuals rights over their health information and sets rules and limits on who can look at and receive health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

The Privacy Rule covers:

  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically, such as electronic billing and fund transfers
  • Health plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for healthcare, such as Medicare and Medicaid

These entities are collectively called "covered entities" and are bound by the privacy standards even if they contract with others ("business associates") to perform some of their essential functions. Business associates include companies that help administer health plans, outside lawyers, accountants, IT specialists, and companies that store or destroy medical records.

lawshun

What is Protected by HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services issued the HIPAA Privacy Rule to implement HIPAA requirements. The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule. These individuals and organisations are called "covered entities".

The Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used. It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public's health. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.

The following types of individuals and organisations are subject to the Privacy Rule and considered covered entities:

  • Healthcare providers: Every healthcare provider, regardless of the size of the practice, who electronically transmits health information in connection with certain transactions. These transactions include benefit eligibility inquiries, referral authorisation requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
  • Health plans: Health, dental, vision, and prescription drug insurers; health maintenance organisations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; long-term care insurers (excluding nursing home fixed-indemnity policies); employer-sponsored group health plans; government- and church-sponsored health plans; and multi-employer health plans. An exception is made for group health plans with fewer than 50 participants administered solely by the establishing and maintaining employer.
  • Healthcare clearinghouses: Entities processing non-standard information received from another entity into a standard format or vice versa. Healthcare clearinghouses receive identifiable health information when providing processing services to a health plan or healthcare provider as a business associate.
  • Business associates: A non-member of a covered entity's workforce who uses individually identifiable health information to perform functions for a covered entity. These functions, activities, or services include permitted uses and disclosures, treatment, payment, and healthcare operations, and the opportunity to agree or object to the disclosure of PHI.

Protected health information under HIPAA includes all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This includes demographic data that relates to:

  • The individual's past, present, or future physical or mental health or condition.
  • The provision of health care to the individual.
  • The past, present, or future payment for the provision of health care to the individual.

Additionally, individually identifiable health information includes common identifiers such as name, address, birth date, and Social Security Number.

It is important to note that the Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act.

De-identified health information, on the other hand, has no restrictions on its use or disclosure. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. This can be achieved through a formal determination by a qualified statistician or by removing specified identifiers of the individual and their relatives, household members, and employers.

In summary, HIPAA protects sensitive health information from unauthorised disclosure and gives individuals rights over their health information. Covered entities, including healthcare providers, health plans, healthcare clearinghouses, and business associates, are responsible for safeguarding and appropriately using and disclosing protected health information.

lawshun

How Can Protected Health Information Be Used and Disclosed?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The Privacy Rule, issued by the US Department of Health and Human Services (HHS), addresses the use and disclosure of individuals' protected health information (PHI) and gives patients rights over their health information. The Security Rule, a federal law, requires security for health information in electronic form.

  • Treatment, Payment, and Healthcare Operations: Covered entities, such as health care providers, health plans, and health care clearinghouses, can use and disclose PHI for treatment, payment, and healthcare operations without an individual's authorization. This includes sharing PHI with other healthcare providers involved in a patient's treatment and for billing purposes.
  • Opportunity to Agree or Object: Covered entities may disclose PHI to individuals, such as family or friends involved in the patient's care, if the patient has the opportunity to agree or object. This includes sharing basic information such as the patient's name, location, general condition, and religious affiliation.
  • Public Interest and Benefit Activities: The Privacy Rule permits the use and disclosure of PHI without an individual's authorization for 12 national priority purposes, including public health activities, abuse or neglect reporting, health oversight activities, judicial and administrative proceedings, and research.
  • Limited Dataset for Research: Covered entities may disclose a limited dataset of PHI for research, public health, or healthcare operations purposes. This does not include individually identifiable information and is often used for research purposes.
  • Law Enforcement and Public Safety: Covered entities may disclose PHI to law enforcement officials in specific circumstances, such as when required by law, to identify or locate a suspect, or to alert law enforcement about a crime that occurred on their premises. PHI can also be disclosed to prevent or lessen a serious threat to health or safety.
  • Psychotherapy Notes: The disclosure of psychotherapy notes generally requires patient authorization. However, covered entities may use and disclose these notes without authorization for their own treatment, payment, and healthcare operation purposes, as well as for training and legal defence.
  • Sharing with Attorneys and Insurance Companies: Disclosure of PHI to an attorney's office or an insurance company generally requires authorization from the individual. This is because the information is being shared outside of the covered entity and is not for treatment, payment, or healthcare operations.
  • Sharing with Family and Personal Representatives: Covered entities may disclose PHI to a patient's family members, personal representatives, or other caregivers in certain situations. This includes sharing information about the patient's location, general condition, or death. However, if the patient is present and able to object, their consent must be obtained.
  • Required by Law: Covered entities may use and disclose PHI when required by law, including court orders, subpoenas, and other legal proceedings. This may include reporting certain types of wounds or injuries, as mandated by state law.

It is important to note that HIPAA also sets restrictions on the use and disclosure of PHI. Covered entities must obtain authorization from individuals for most uses and disclosures that are not related to treatment, payment, or healthcare operations. Additionally, PHI should be limited to the minimum necessary for the intended purpose, and reasonable safeguards must be put in place to protect PHI from improper use or disclosure.

lawshun

What Are the Penalties for Non-Compliance?

Non-compliance with HIPAA can result in civil and criminal penalties. The penalties for non-compliance are tiered, depending on the nature and extent of the violation, the harm caused, and the level of culpability.

Civil Penalties

Civil monetary penalties (CMPs) for non-compliance with HIPAA range from $137 to $68,928 per violation. The penalty structure is tiered, with four categories of violation:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided. The minimum fine is $100 per violation, up to $50,000.
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided. The minimum fine is $1,000 per violation, up to $50,000.
  • Tier 3: A violation resulting from "willful neglect" of HIPAA Rules, but where an attempt has been made to correct the violation. The minimum fine is $10,000 per violation, up to $50,000.
  • Tier 4: A violation constituting willful neglect, where no attempt has been made to correct the violation within 30 days. The minimum fine is $50,000 per violation.

The secretary of the Department of Health and Human Services (HHS) has discretion in determining the exact amount of the penalty, considering factors such as the nature and extent of the violation and harm caused, the covered entity's financial condition, and the size of the entity.

Criminal Penalties

Criminal penalties for HIPAA violations are handled by the Department of Justice (DOJ) and can result in fines and imprisonment. Criminal violations are divided into three tiers, with penalties including:

  • Tier 1: Reasonable cause or no knowledge of the violation – Up to 1 year in jail and/or a fine of up to $50,000.
  • Tier 2: Obtaining protected health information (PHI) under false pretenses – Up to 5 years in jail and/or a fine of up to $100,000.
  • Tier 3: Obtaining PHI for personal gain, commercial advantage, or with malicious intent – Up to 10 years in jail and/or a fine of up to $250,000.

Corrective Action Plans

In addition to financial penalties, covered entities may be required to adopt corrective action plans to address compliance deficiencies and bring their policies and procedures up to the standards demanded by HIPAA.

lawshun

Who Isn't Required to Comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements. The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule. These individuals and organizations are called "covered entities".

Covered entities include:

  • Health plans, including health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, and employer-sponsored group health plans.
  • Most healthcare providers who electronically transmit health information in connection with certain transactions, such as benefit eligibility inquiries and referral authorization requests.
  • Healthcare clearinghouses, entities processing non-standard health information they receive from another entity into a standard format or vice versa.
  • Business associates of covered entities, including companies that help doctors get paid for providing healthcare, companies that administer health plans, and outside lawyers, accountants, and IT specialists.

While HIPAA applies to everyone as individuals inasmuch as everyone has personally identifiable health information that they have the right to inspect and request corrections for, there are certain types of organizations that are not required to comply with HIPAA. Examples of organizations that do not have to follow the Privacy and Security Rules include:

  • Workers' compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

Frequently asked questions

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment