The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation passed by the US Congress in 1996. It applies to covered entities and their business associates. Covered entities include health insurance companies, health plans, and healthcare providers and clearinghouses that transmit health information electronically. This means that HIPAA applies to anyone who has access to, needs to use, or needs to disclose private health information. Business associates are individuals or entities that perform functions or provide services to covered entities that involve the use or disclosure of protected health information. This includes companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services, as well as accountants, consultants, attorneys, data storage firms, and data management companies.
Characteristics | Values |
---|---|
Who does HIPAA apply to? | Everyone as individuals |
Does HIPAA apply to certain types of organizations? | Yes, depending on which section of HIPAA |
What is a HIPAA-covered entity? | Health plans, health care clearinghouses, and health care providers who electronically transmit health information in connection with certain transactions |
What is a HIPAA business associate? | An individual or entity that is required to perform functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected health information |
Who must comply with HIPAA? | Not only the companies to whom HIPAA applies but also the workforces of these companies |
What You'll Learn
Who are HIPAA Covered Entities?
The HIPAA Privacy Rule covers three main categories of covered entities:
- Health Care Providers: Hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically.
- Health Care Clearinghouses: Entities that process nonstandard health information and convert data into standard electronic formats or data content.
- Health Plans: Health insurance companies, health maintenance organizations, government programs that pay for healthcare (e.g., Medicare), and military and veterans' health programs.
Covered entities under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information. They must also provide individuals with certain rights regarding their health information. This includes the right to access, correct, and receive notifications about their health information, as well as the right to restrict its use and disclosure.
In addition to the above, business associates of covered entities must also comply with parts of the HIPAA regulations. Business associates are individuals or companies that provide services to a HIPAA-covered entity and have access to protected health information. Examples include third-party administrators, billing companies, cloud service providers, attorneys, and more.
US Copyright Laws: Global Reach and Enforcement
You may want to see also
What is a HIPAA Business Associate?
A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include:
- Claims processing or administration
- Data analysis, processing or administration
- Utilization review
- Quality assurance
- Billing
- Benefit management
- Practice management
- Repricing
Business associate services are:
- Legal
- Actuarial
- Accounting
- Consulting
- Data aggregation
- Management
- Administrative
- Accreditation
- Financial
Examples of business associates include:
- Third-party administrators that assist a health plan with claims processing
- A CPA firm whose accounting services to a health care provider involve access to protected health information
- An attorney whose legal services to a health plan involve access to protected health information
- A consultant that performs utilization reviews for a hospital
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
- An independent medical transcriptionist that provides transcription services to a physician
- A pharmacy benefits manager that manages a health plan's pharmacist network
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Understanding Castle Law: Apartments and Their Legal Standing
You may want to see also
Does HIPAA Apply to Researchers?
The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the US Department of Health and Human Services (HHS) under HIPAA, such as electronic billing and fund transfers. These entities are known as "covered entities" and are bound by the HIPAA privacy standards.
HIPAA also applies to "business associates" of covered entities, which are entities that are contracted to perform some essential functions on behalf of the covered entity.
Researchers can be considered covered entities under HIPAA if they furnish health care services to individuals and transmit any health information in electronic form in connection with a transaction covered by the Transactions Rule. For example, a researcher who conducts a clinical trial that involves the delivery of routine health care and transmits health information in electronic form to a third-party payer for payment would be a covered health care provider under HIPAA.
Additionally, researchers who are employees or workforce members of a covered entity are subject to the HIPAA Privacy Rule. If a covered entity decides to be a "hybrid entity", meaning it performs both covered and non-covered functions, it must define and designate its health care components, and researchers can be included in this designation.
Covered entities may disclose protected health information to researchers for research purposes, either with individual authorization or with a waiver of individual authorization. Researchers can also access existing databases maintained by covered entities for research purposes, either with individual authorization or with a waiver of individual authorization.
When conducting research that involves a covered entity, researchers should be aware of the HIPAA Privacy Rule and how it may influence the research environment, including the feasibility, design, and cost of the research. Researchers should also continue to consider issues of privacy and confidentiality as they relate to the protection of human subjects from research risks.
In summary, while not all researchers are subject to HIPAA, those who are involved in the provision of health care services and the electronic transmission of health information can be considered covered entities and are therefore required to comply with the HIPAA Privacy Rule. Researchers who are not considered covered entities may still need to comply with HIPAA if they are working with covered entities or accessing protected health information.
Gas Laws: Understanding Scuba Diving Safety
You may want to see also
Who Must Comply with HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) applies to everyone as individuals, as they have personally identifiable health information that they have the right to inspect and request corrections for. However, HIPAA also applies to certain types of organizations, including:
- Health plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for healthcare, such as Medicare and Medicaid.
- Health care providers who conduct certain business electronically, such as electronically billing a patient's health insurance. This includes most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health care clearinghouses, which process non-standard health information they receive from another entity into a standard format or vice versa.
- Business associates of covered entities, including contractors, subcontractors, and other outside persons or companies that are not employees of a covered entity but need access to health information to provide services. Examples include companies that help with billing and companies that administer health plans.
In addition, HIPAA also applies to subcontractors of business associates. If a business associate of a HIPAA-covered entity subcontracts work to another entity that requires access to or use of protected health information, HIPAA Rules must be followed, and a business associate agreement must be in place.
Overall, while HIPAA applies to individuals in terms of their rights to their health information, it also applies to a range of organizations and their associates, with specific requirements for each group.
Usury Laws: Do They Affect Real Estate Transactions?
You may want to see also
What Types of Information Are Covered Under HIPAA's Privacy Rule?
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information. This includes:
- An individual's past, present, or future physical or mental health condition, the provision of their health care, and payment for their treatment.
- Demographic data such as name, address, birth date, and Social Security Number.
The Privacy Rule also covers non-health information maintained in the same "designated record set". This includes information such as billing information and details of health insurance coverage.
The Rule does not cover employment records that a covered entity maintains in its capacity as an employer, or education and certain other records subject to the Family Educational Rights and Privacy Act.
Ohm's Law: Powering Our Daily Lives
You may want to see also
Frequently asked questions
HIPAA applies to everyone as individuals, as everyone has personally identifiable health information that they have the right to inspect and request corrections when errors or omissions exist. HIPAA also applies to certain types of organizations, including health plans, health care clearinghouses, qualifying healthcare providers, and business associates that provide a service for or on behalf of a covered entity.
A HIPAA business associate is an individual or entity that is required to perform functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected health information. Business associates include a wide range of individuals and entities, including companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment, and collections services.
Covered entities are individual or group plans that provide or pay the cost of medical care. This could include health, dental, vision, prescription, Medicare, or Medicaid organizations and those who work within them.