The Health Insurance Portability and Accountability Act (HIPAA) applies to everyone as individuals in the sense that everyone has personally identifiable health information that they have the right to inspect and request corrections for. However, HIPAA also applies to certain types of organizations depending on which section of the Act is being considered.
The Privacy Rule, a Federal law, gives individuals rights over their health information and sets rules and limits on who can look at and receive it. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.
The Security Rule is a Federal law that requires security for health information in electronic form.
The Privacy Rule covers health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. These entities are collectively called covered entities and are bound by the privacy standards even if they contract with others (business associates) to perform some of their essential functions.
Business associates are required to sign a HIPAA-compliant business associate agreement, which details the elements of HIPAA Rules that must be complied with. They must agree to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, and access controls to prevent unauthorized access and disclosures.
While the Privacy Rule gives individuals rights over their health information, it also permits covered entities to use and disclose PHI without an individual's authorization for certain purposes, such as for treatment, payment, and healthcare operations.
Characteristics | Values |
---|---|
Who does HIPAA apply to? | Everyone as individuals |
Does HIPAA apply to certain types of organizations? | Yes, depending on which section of HIPAA |
What is a HIPAA covered entity? | Health plans, health care clearinghouses, and health care providers who electronically transmit health information in connection with certain transactions |
What is a HIPAA business associate? | An individual or entity that performs functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected health information |
Does HIPAA apply to subcontractors of business associates? | Yes |
Does HIPAA apply to researchers? | Yes, if patients have authorized the use and disclosure of their PHI for research purposes |
Does HIPAA apply to employees of covered entities and business associates? | Yes, they should be required to comply with HIPAA under their employers' workplace policies |
Does HIPAA apply during public health emergencies? | If the President declares an emergency or disaster and the Secretary for Health and Human Services declares a public health emergency, enforcement action against non-compliant covered entities can be waived |
Where is HIPAA used? | Throughout the U.S. unless a state law has more stringent privacy protections or greater individual rights |
What companies does HIPAA apply to? | Health plans, health care clearinghouses, qualifying healthcare providers, and business associates that provide a service for or on behalf of a covered entity |
Who must comply with HIPAA? | The companies to whom HIPAA applies, as well as the workforces of these companies through the policies and procedures implemented by the companies to comply with HIPAA |
What You'll Learn
Who are HIPAA Covered Entities?
The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and their business associates. Covered entities are generally individuals, institutions, or organizations that transmit protected health information electronically in transactions for which the Department of Health and Human Services (HHS) has published standards.
Covered entities fall under three main categories:
- Healthcare Providers: Hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically.
- Healthcare Clearinghouses: Organizations that process non-standard health information and convert data into types that conform to the standards outlined in the HIPAA administrative simplification regulations.
- Health Plans: Health insurance companies, health maintenance organizations, company health plans, and certain government programs that pay for healthcare, such as Medicare, Medicaid, and military and veterans' health programs.
Business associates of covered entities must also follow parts of the HIPAA regulations. Business associates include contractors, subcontractors, and other outside entities that are not employees of a covered entity but need access to protected health information when providing services to the covered entity. Covered entities must have contracts in place with their business associates to ensure the proper handling and protection of health information.
Franchisees and Antitrust Laws: What's the Verdict?
You may want to see also
What is a HIPAA Business Associate?
A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include:
- Claims processing or administration
- Data analysis, processing or administration
- Utilization review
- Quality assurance
- Billing
- Benefit management
- Practice management
- Repricing
Business associate services are:
- Legal
- Actuarial
- Accounting
- Consulting
- Data aggregation
- Management
- Administrative
- Accreditation
- Financial
Examples of business associates include:
- Third-party administrators that assist a health plan with claims processing
- A CPA firm whose accounting services to a health care provider involve access to protected health information
- An attorney whose legal services to a health plan involve access to protected health information
- A consultant that performs utilization reviews for a hospital
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
- An independent medical transcriptionist that provides transcription services to a physician
- A pharmacy benefits manager that manages a health plan’s pharmacist network
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Texas Animal Cruelty Laws: Do They Cover Domesticated Pets?
You may want to see also
Does HIPAA Apply to Researchers?
The Health Insurance Portability and Accountability Act (HIPAA) applies to researchers in certain circumstances. HIPAA defines the scope of Protected Health Information (PHI) and sets standards to protect patients from inappropriate disclosures of their PHI through the "Privacy Rule". The Privacy Rule establishes a set of safeguards around PHI and sets a national minimum level of protection. It also describes ways in which a "Covered Entity" can use or disclose PHI for research purposes.
A Covered Entity is defined in the HIPAA rules as:
- Health plans
- Health care clearinghouses
- Health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards.
HIPAA affects research that uses, creates, or discloses PHI. There are two main ways a research study would involve PHI:
- The study involves a review of medical records as a source of research information. Retrospective studies involve PHI in this way. Prospective studies may also do this, for example, when a researcher contacts a participant's physician to obtain or verify some aspect of a person's health history.
- The study creates new medical records because, as part of the research, a health care service is being performed at a Covered Entity or by a Covered Entity, such as testing a new way of diagnosing a health condition or a new drug or device for treating a health condition.
HIPAA permits the use or disclosure of PHI for research under the following circumstances:
- The subject of the PHI has granted specific written permission for the use of PHI for research through an Authorization.
- The Institutional Review Board (IRB) or Privacy Board has granted a waiver of the authorization requirement.
- The PHI has been de-identified in accordance with the standards set by HIPAA (and therefore no longer meets the definition of PHI).
- The information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher's organization and the Covered Entity.
HIPAA also allows for the use of PHI in "preparatory to research" activities. This means that PHI may be used or disclosed to a researcher without an individual's authorization, a waiver, or a data use agreement. However, this type of access must be requested prior to the review or use as part of the IRB application.
It is important to note that researchers who are not part of a Covered Entity are still subject to HIPAA if they are seeking to use individually identifiable health information from records in the custody of a Covered Entity.
EEOC Laws: Who's Covered and Who's Exempt?
You may want to see also
Does HIPAA Apply to Employees of Covered Entities and Business Associates?
The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and their business associates. A covered entity is defined as health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with transactions for which the Secretary of Health and Human Services (HHS) has adopted standards under HIPAA.
Business associates are persons or entities that are hired by covered entities to help them carry out healthcare activities and functions. They are third-party organizations that are not part of the covered entity's workforce but are entrusted with protected health information (PHI). Examples of business associates include software providers, cloud service providers, document storage companies, medical billing companies, and marketing firms.
Covered entities must have contracts or written business associate agreements (BAAs) in place with their business associates. These contracts must ensure that business associates will use and disclose health information properly, safeguard it appropriately, and comply with the Rules' requirements to protect the privacy and security of PHI.
Employees of covered entities are not considered business associates. However, they are subject to HIPAA compliance requirements. Covered entities must implement policies and procedures to restrict access to PHI based on the specific roles of their employees. Employees must receive training on privacy policies and procedures and sanctions will be applied for violations.
Therefore, HIPAA does apply to employees of covered entities, but they are not considered business associates. Employees of business associates may also be subject to HIPAA requirements if they handle PHI.
Florida's Stand Your Ground Law: Renters' Rights and Protections?
You may want to see also
Does HIPAA Apply to Subcontractors of Business Associates?
The Health Insurance Portability and Accountability Act (HIPAA) applies to subcontractors of business associates.
A "business associate" is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access to protected health information (PHI). A "subcontractor" is a person or entity to which a business associate delegates a function, activity, or service.
The HIPAA Privacy Rule requires all covered entities to have a signed Business Associate Agreement (BAA) with any business associate they hire that may come into contact with PHI. A BAA is a written contract that specifies each party's responsibilities when it comes to PHI. The BAA must include the following:
- Describe the permitted and required uses of PHI by the business associate/subcontractor
- Provide that the business associate/subcontractor will not use or further disclose PHI other than as permitted or required by the contract or as required by law
- Require the business associate/subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure
The Department of Health and Human Services (HHS) can audit business associates and subcontractors for HIPAA compliance, not just covered entities. This means that organisations must have a BAA for all three levels to meet HIPAA requirements.
The Omnibus Final Rule, which came into effect on 26 March 2013, significantly expanded the types of persons or entities that qualify as business associates. This included adding patient safety activities to the list of functions and activities that give rise to a business associate relationship. The rule also explicitly expanded the definition of "business associate" to include health information organisations, e-prescribing gateways, and other entities that provide data storage or transmission services for covered entities and require routine access.
The Final Rule also added a provision that a business associate that is aware of non-compliance by its subcontractor must respond as a covered entity would, by trying to cure the breach, ending the violation, or terminating the contract.
Business associates must obtain satisfactory assurances in the form of BAAs from their subcontractor business associates. A business associate must ensure that any subcontractors that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information.
Therefore, a subcontractor of a business associate is also considered a business associate and must comply with HIPAA.
HIPAA Laws: International Patients Included or Exempt?
You may want to see also
Frequently asked questions
HIPAA applies to everyone as individuals in the sense that everyone has personally identifiable health information that they have the right to inspect and request corrections when errors or omissions exist.
HIPAA applies to non-medical staff who are considered business associates of a HIPAA-covered entity. A business associate is an individual or entity that performs functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected health information.
Business associates include accountants, consultants, attorneys, data storage firms, and data management companies.
Business associates are required to sign a HIPAA-compliant business associate agreement, which details the elements of the HIPAA Rules that they must comply with. They must agree to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information.
Yes, HIPAA also applies to subcontractors of business associates. If a business associate subcontracts work that requires access to protected health information, then HIPAA Rules must be followed.