Hipaa Law: Who Is Bound By It?

does hipaa law apply to everyone

The Health Insurance Portability and Accountability Act (HIPAA) is a substantial piece of legislation passed by the US Congress in 1996. It establishes common standards across the US healthcare system to protect patient information.

HIPAA applies to everyone as individuals inasmuch as everyone has personally identifiable health information that they have the right to inspect and request corrections when errors or omissions exist. However, there is often confusion about whether or not HIPAA applies to specific businesses or employees.

The law defines two groups to which it applies: covered entities and business associates. Covered entities include healthcare providers, health insurance companies, and healthcare clearinghouses. Business associates are individuals or entities that carry out operations or responsibilities that involve using or disclosing protected health information, either on behalf of or as an agent of a covered entity.

Characteristics Values
Who does HIPAA apply to? Everyone as individuals, majority of workers, most health insurance providers, employers who sponsor or co-sponsor employee health insurance plans, researchers, employees of covered entities and business associates
What is a covered entity? Health plans, health care providers, health insurance companies, and healthcare clearinghouses
What is a business associate? Individuals or entities that carry out operations or responsibilities that involve using or disclosing PHI, either on behalf of or as an agent of a covered entity
What is PHI? Any information that relates to a patient's past, present, or future physical or mental health condition or payment status, in which there is a reasonable belief that it could be used to identify the patient
Who is not required to follow HIPAA? Workers compensation carriers, most schools and school districts, many state agencies like child protective service agencies, most law enforcement agencies, and many municipal offices

lawshun

Who is Bound by HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to everyone as individuals inasmuch as everyone has personally identifiable health information that they have the right to inspect and request corrections when errors or omissions exist. However, there are two groups to which the law applies: covered entities and business associates.

Covered Entities

Covered entities (CEs) are individual or group plans that provide or pay the cost of medical care. This could include health, dental, vision, prescription, Medicare, or Medicaid organizations and those who work within them. They are the primary focus of the law. All three groups perform activities that are essential to protected health information (PHI) as defined by the law. PHI is the axis upon which the whole law rotates.

Healthcare providers create and use PHI during the diagnosis and treatment of patients. Healthcare clearinghouses serve as middlemen between insurance companies and providers by processing or facilitating the processing of nonstandard data elements of health information into standard data elements. Insurance companies use healthcare clearinghouse data to determine the eligibility of healthcare services performed by covered entities and to make payments for services deemed eligible.

Business Associates

The second group that is required to follow HIPAA guidelines is business associates. According to the law, any business performing services for a covered entity that requires them to take possession of PHI is considered a business associate. This could include people or organizations involved in billing, benefits management, quality assurance, legal, and more. It's important to note that a covered entity is liable for the activities of any business associate that is their agent.

HIPAA Laws: Pandemic Exception or Rule?

You may want to see also

lawshun

Who is a Covered Entity Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to everyone as individuals, as it gives them the right to inspect and request corrections to their health information. However, when it comes to organizations, there is some confusion as to which entities are required to implement HIPAA compliance programs. This is because the section of the Act that addresses the protection of individually identifiable health information is relatively small and not always clear.

HIPAA covered entities include health plans, health care providers, and health care clearinghouses. More specifically, covered entities are:

  • Health insurance companies
  • HMOs (Health Maintenance Organizations)
  • Employer-sponsored health plans
  • Government programs that pay for healthcare, such as Medicare, Medicaid, and military and veterans' health programs
  • Health care providers that submit HIPAA transactions electronically, such as claims
  • Organizations that process non-standard health information to conform to standard data content or format, or vice versa

In addition, business associates of covered entities must also comply with parts of the HIPAA regulations. Business associates include companies that help administer health plans, outside lawyers, accountants, IT specialists, companies that store or destroy medical records, and more. Covered entities must have contracts in place with their business associates to ensure proper handling and protection of health information.

lawshun

Who is a Business Associate Under HIPAA?

A "business associate" is an individual or entity that is required to perform functions on behalf of a HIPAA-covered entity. This involves the use or disclosure of protected health information (PHI). Any business associate of a HIPAA-covered entity must sign a HIPAA-compliant business associate agreement, a contract that details the elements of the HIPAA Rules that the business associate must comply with.

Business associates are required to agree to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, as well as access controls to prevent unauthorized access and disclosures. They must not use PHI for any other purpose other than what it was disclosed for and must not disclose the information to any other individuals or entities (except subcontractors). They must also provide individuals with copies of their PHI upon request and must notify their covered entity of any breaches of protected health information.

Business associates include a wide range of individuals and entities, including companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment, and collections services. They also include accountants, consultants, attorneys, data storage firms, and data management companies.

Business associates are required to enter into contracts with their covered entities to ensure that they appropriately safeguard protected health information. The business associate contract also clarifies and limits the permissible uses and disclosures of protected health information by the business associate. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making unauthorized uses and disclosures of protected health information.

A written contract between a covered entity and a business associate must:

  • Establish the permitted and required uses and disclosures of protected health information by the business associate.
  • Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  • Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including complying with the requirements of the HIPAA Security Rule with regard to electronic protected health information.
  • Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  • Require the business associate to disclose protected health information to satisfy a covered entity's obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments and accountings.
  • To the extent that the business associate is carrying out a covered entity's obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  • Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS in determining the covered entity's compliance with the HIPAA Privacy Rule.
  • At the termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  • Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  • Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.

In summary, a business associate under HIPAA is an individual or entity that performs functions or activities on behalf of a covered entity, involving access to or use and disclosure of protected health information. Business associates are required to enter into contracts with covered entities, implement appropriate safeguards to protect health information, and comply with relevant HIPAA Rules.

lawshun

What Types of Information Are Covered Under HIPAA's Privacy Rule?

The HIPAA Privacy Rule establishes national standards for the protection of certain health information. It applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically.

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This includes:

  • Information relating to an individual's past, present, or future physical or mental health condition
  • Information about the provision of health care to the individual
  • Information about past, present, or future payments for the provision of health care to the individual
  • Common identifiers such as name, address, birth date, and Social Security Number

The Privacy Rule excludes from protected health information:

  • Employment records that a covered entity maintains in its capacity as an employer
  • Education records and certain other records subject to the Family Educational Rights and Privacy Act

De-identified health information, which does not identify or provide a reasonable basis to identify an individual, is not restricted under the Privacy Rule.

lawshun

What are the Requirements for Use and Disclosure of Private Health Information?

The Privacy Rule establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals' health information—called "protected health information" by organizations subject to the Privacy Rule — called "covered entities".

The Privacy Rule applies to health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. This includes health, dental, vision, and prescription drug insurers, health maintenance organizations, Medicare, Medicaid, and long-term care insurers. It also includes employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.

Health care providers, regardless of size, who electronically transmit health information in connection with certain transactions, are also covered entities. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.

Health care clearinghouses are entities that process non-standard information they receive from another entity into a standard format or data content, or vice versa. In most cases, health care clearinghouses will only receive individually identifiable health information when providing these processing services to a health plan or health care provider as a business associate.

Business associates are individuals or organizations that perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of individually identifiable health information. This includes claims processing, data analysis, utilization review, and billing.

Covered entities may disclose protected health information without an individual's authorization for the following purposes:

  • To the individual
  • Treatment, payment, and health care operations
  • Opportunity to agree or object
  • Incident to an otherwise permitted use and disclosure
  • Public interest and benefit activities
  • Limited data set for the purposes of research, public health, or health care operations

Covered entities must also disclose protected health information when individuals request access to their protected health information or an accounting of disclosures. They must also disclose it to HHS when the department is undertaking a compliance investigation, review, or enforcement action.

In addition, covered entities may disclose protected health information without individual authorization as required by law, for public health activities, to appropriate government authorities regarding victims of abuse, neglect, or domestic violence, and for health oversight activities. They may also disclose it for judicial and administrative proceedings and law enforcement purposes under certain circumstances.

Covered entities must obtain an individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations, or otherwise permitted or required by the Privacy Rule. This includes disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for marketing purposes.

The Privacy Rule also sets out requirements for safeguarding protected health information, including physical, technical, and administrative safeguards. Covered entities must also have policies and procedures in place to restrict access to protected health information and must train their workforce on privacy policies and procedures.

Frequently asked questions

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment