Hipaa Laws: Who Are They Targeting?

who do hippa laws apply to

The Health Insurance Portability and Accountability Act (HIPAA) is a substantial piece of legislation passed by the US Congress in 1996. It establishes a set of national standards for the protection of health information, giving individuals rights over their health information and setting rules and limits on who can access it.

HIPAA applies to two groups: covered entities and business associates. Covered entities include health plans, health care providers, and health care clearinghouses. Business associates are individuals or entities that carry out operations or have responsibilities that involve using or disclosing protected health information, either on behalf of or as an agent of a covered entity.

Characteristics Values
Covered Entities Health Plans, Health Care Providers, Health Care Clearinghouses
Health Plans Health, dental, vision, prescription drug insurers, health maintenance organizations, Medicare, Medicaid, etc.
Health Care Providers Hospitals, doctors, clinics, psychologists, chiropractors, nursing homes, pharmacies, dentists, etc.
Health Care Clearinghouses Entities that process non-standard health information into a standard format or vice versa
Business Associates Companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services, etc.

lawshun

Who are HIPAA Covered Entities?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by the U.S. Congress in 1996 to establish common standards across the healthcare system, so that patient information is protected.

HIPAA's privacy rule applies to three groups: healthcare providers, healthcare plans, and healthcare clearinghouses that transmit health information through any type of communication method. This means it applies to anyone who has access to, needs to use, or needs to disclose private health information (PHI).

The two most common categories of HIPAA-compliant entities are covered entities and business associates.

Covered Entities

Covered entities (CEs) are individual or group plans that provide or pay the cost of medical care. This includes health, dental, vision, prescription, Medicare, or Medicaid organizations and those who work within them. CEs are liable for the activities of any business associate that is their agent.

CEs include:

  • Health plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for healthcare, such as Medicare and Medicaid.
  • Most healthcare providers—those that conduct certain business electronically, such as electronically billing your health insurance. This includes most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Healthcare clearinghouses—entities that process non-standard health information they receive from another entity into a standard format or data content, or vice versa.

Business Associates

Business associates (BAs) are individuals or entities that carry out operations or responsibilities that involve using or disclosing PHI, either on behalf of or as an agent of a covered entity. This could include people or organizations involved in billing, benefits management, quality assurance, or legal services.

BAs include:

  • Companies that help your doctors get paid for providing healthcare, including billing companies and companies that process your healthcare claims.
  • Companies that help administer health plans.
  • Outside lawyers, accountants, and IT specialists.
  • Companies that store or destroy medical records.

Business associates must have contracts in place with their covered entities, ensuring that they use and disclose PHI properly and safeguard it appropriately.

lawshun

What is a HIPAA Business Associate?

A HIPAA Business Associate is an individual or entity that is required to perform functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected health information. This includes companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services. Business associates also include accountants, consultants, attorneys, data storage firms, and data management companies.

Any business associate of a HIPAA-covered entity is required to sign a HIPAA-compliant business associate agreement – a contract that details the elements of HIPAA Rules that the business associate must comply with. Business associates are required to agree to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and access controls to prevent unauthorized access and disclosures. They must agree not to use PHI for any other purpose than why the information is disclosed. They must not disclose the information to any other individuals or entities (except subcontractors). They must provide individuals with copies of their PHI on request and must notify their covered entity of any breaches of protected health information.

Business associates of covered entities must follow parts of the HIPAA regulations. Covered entities must have contracts in place with their business associates, ensuring that they use and disclose health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors.

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.

Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

lawshun

Does HIPAA Apply to Subcontractors of Business Associates?

The Health Insurance Portability and Accountability Act (HIPAA) applies to subcontractors of business associates. If a business associate of a HIPAA-covered entity subcontracts work to another entity, and that entity is required to access or use protected health information (PHI) to complete its contracted duties, then HIPAA Rules must be followed.

A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access to PHI. A subcontractor is a person or entity to whom a business associate delegates a specific function, activity, or service outside the context of being part of the business associate's workforce.

In this context, subcontractors are individuals or organisations that perform functions for, or provide services to, a business associate, and these functions often involve handling PHI. When a business associate subcontracts a function, activity, or service to a third party that involves the disclosure of PHI, an additional, or downstream, HIPAA Business Associate Agreement (BAA) must be in place between the business associate and the subcontractor.

The BAA is a legally binding contract that establishes the relationship between the subcontractor and the primary business associate or covered entity. It outlines the safeguards, protections, and privacy requirements that subcontractors must adhere to, ensuring the secure and compliant handling of PHI. The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.

A business associate may use or disclose PHI only as permitted or required by its BAA or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making unauthorised uses and disclosures of PHI.

Since the passage of the HITECH Act and the incorporation of relevant provisions into HIPAA via the HIPAA Omnibus Final Rule, subcontractors used by business associates are also required to comply with HIPAA. This was done to ensure the comprehensive protection of individuals' PHI and to address potential vulnerabilities in the handling of PHI by third parties.

lawshun

Does HIPAA Apply to Researchers?

HIPAA, or the Health Insurance Portability and Accountability Act, applies to everyone as individuals as it gives them the right to inspect their health information and request corrections. However, when it comes to researchers, the answer is a little more complex.

HIPAA Rules allow covered entities to disclose PHI (Protected Health Information) to researchers, but only if the patients have authorized the use and disclosure of their PHI for research purposes. In such cases, a business associate agreement is not required, but covered entities must enter into a data use agreement with the researcher. This agreement provides assurances that HIPAA Rules will be followed with respect to the limited data set provided.

In addition, researchers can access PHI without individual authorization in certain circumstances, such as when they obtain a waiver from an Institutional Review Board (IRB) or Privacy Board. Researchers can also access PHI as part of activities that are considered 'preparatory to research'. In this case, researchers must request access prior to the review or use as part of the IRB application and obtain representations from the researcher that the use or disclosure is requested solely to review PHI as necessary to prepare a research protocol. Researchers may not use this information to contact potential study participants.

Furthermore, researchers can access PHI as part of a Limited Data Set if a Data Use Agreement has been executed between the covered entity and the researcher. This agreement must meet HIPAA requirements, including limiting further use or disclosure of PHI.

Finally, researchers can use or disclose de-identified health information without restriction since it is not considered PHI and is therefore not protected by the Privacy Rule. De-identified health information is a record from which identifying information has been removed.

lawshun

Who Must Comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to two groups. The first is covered entities, which include healthcare providers, health insurance companies, and healthcare clearinghouses. The second group is business associates, which are any businesses that perform services for a covered entity that require them to take possession of protected health information (PHI).

Covered entities are individual or group plans that provide or pay the cost of medical care. This includes health, dental, vision, prescription, Medicare, or Medicaid organizations and those who work within them. Most health care providers are covered entities, particularly those that conduct certain business electronically, such as electronically billing a patient's health insurance.

Business associates are individuals or entities that carry out operations or responsibilities that involve using or disclosing PHI, either on behalf of or as an agent of a covered entity. This could include people or organizations involved in billing, benefits management, quality assurance, or legal matters. A covered entity is liable for the activities of any business associate that is their agent.

HIPAA also applies to subcontractors of business associates. If a business associate of a covered entity subcontracts work to another entity that requires access to PHI to complete its duties, HIPAA rules must be followed. In these cases, business associates must enter into a business associate agreement with their subcontractors.

In addition, HIPAA applies to employees of covered entities and business associates. These employees should be required to comply with HIPAA under their employers' workplace policies, which should outline sanctions for violations of HIPAA and the process for investigating violations.

Frequently asked questions

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment