Hipaa Law Applicability: Understanding The Scope And Reach

who does hipaa law apply to

The Health Insurance Portability and Accountability Act (HIPAA) is a substantial piece of legislation passed by the US Congress in 1996. It establishes common standards across the US healthcare system to protect patient information. The law applies to two groups: covered entities and business associates. Covered entities include healthcare providers, health insurance companies, and healthcare clearinghouses. Business associates are individuals or entities that carry out operations or have responsibilities that involve using or disclosing protected health information, either on behalf of or as an agent of a covered entity. This could include people or organisations involved in billing, benefits management, quality assurance, and legal services.

Characteristics Values
Who does HIPAA apply to? Everyone
Health insurance providers
Employers who sponsor or co-sponsor employee health insurance plans
Health plans
Health care providers
Health care clearinghouses
Business associates
Who is not required to follow HIPAA? Workers compensation carriers
Most schools and school districts
Most law enforcement agencies
Many state agencies like child protective service agencies
Many municipal offices

lawshun

Health plans, including health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid

The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, including health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid. These are considered "covered entities" under HIPAA and are subject to the Privacy Rule and Security Rule.

The Privacy Rule establishes national standards for the protection of health information and gives individuals rights over their health information. It sets rules and limits on who can look at and receive an individual's health information. The Security Rule is a federal law that requires security for health information in electronic form.

Health plans that are covered entities under HIPAA must comply with the Privacy Rule and ensure that their business associates, such as billing companies and companies that administer health plans, also comply. This includes implementing safeguards to protect health information and ensuring that it is not used or disclosed improperly.

HIPAA provides individuals with the right to access their health information, request corrections, and receive a notice that explains how their health information may be used and shared. Individuals can also decide if they want to give permission for their health information to be used or shared for certain purposes, such as marketing.

Covered entities under HIPAA must also comply with the Security Rule, which requires them to protect the confidentiality, integrity, and availability of electronic protected health information (e-PHI). This includes implementing technical safeguards, such as encryption, to protect health information transmitted electronically.

Overall, HIPAA helps to protect the privacy and security of health information for individuals enrolled in health plans, including those offered by insurance companies, HMOs, companies, and government programs.

lawshun

Health care providers that conduct business electronically, such as billing insurance electronically

The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, health care clearinghouses, and certain health care providers. These include health insurance companies, HMOs, employer-sponsored health plans, and government programs that pay for healthcare, such as Medicare and Medicaid.

Under HIPAA, a health care provider is a provider of services, a provider of medical or health services, and any other person or organization that furnishes, bills, or is paid for healthcare in the normal course of business. This includes most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.

HIPAA applies to health care providers who conduct transactions electronically, such as billing insurance companies electronically. These providers must comply with the Privacy Rule, which gives individuals rights over their health information and sets rules and limits on who can access and receive this information. The Privacy Rule applies to all forms of individuals' protected health information, be it electronic, written, or oral.

The Security Rule, another Federal law, specifically requires security for health information in electronic form. This means that health care providers who electronically transmit health information must implement safeguards to protect the security and integrity of PHI. This includes limiting access to relevant employees and training these employees on how to protect patient health information.

HIPAA also applies to business associates of covered entities, which are entities that are not employees of a covered entity but still need access to health information to provide services to the covered entity. Examples of business associates include companies that help with billing and companies that provide administrative services. These business associates must also comply with the relevant sections of HIPAA and sign a HIPAA-compliant business associate agreement.

lawshun

Health care clearinghouses that process non-standard health information

The Health Insurance Portability and Accountability Act (HIPAA) applies to health care clearinghouses, which are entities that process non-standard health information they receive from another entity into a standard format, or vice versa. These clearinghouses are typically private or public entities, such as billing services, repricing companies, community health management information systems, or community health information systems. They play a crucial role in the healthcare industry by acting as intermediaries between healthcare providers and insurance payers.

One of the primary functions of healthcare clearinghouses is to ensure that medical claims are free from errors, enabling correct processing by the payer. Once the claims are verified, they are sent electronically, along with any associated medical records, to the relevant medical organisations. Clearinghouses are also capable of converting non-standard data into standard data formats compatible with the payers' adjudication systems. This capability is essential for streamlining the claims process and ensuring faster turnaround times.

The adoption of electronic claims processing and HIPAA mandates has significantly improved the workflow process for medical claims. By minimising touchpoints and enabling the tracking of claims throughout their lifecycle, clearinghouses have replaced many manual methods previously used in the industry. They serve as industry experts, ensuring seamless data exchange and enhancing the relationships between providers and insurance carriers.

To comply with HIPAA requirements, healthcare clearinghouses must protect the security and privacy of sensitive health information. They are required to transmit certain rights to providers and payers regarding their protected health information. Additionally, any business that works with a healthcare clearinghouse, considered a "covered entity," must also comply with HIPAA guidelines and regulations. This compliance can be ensured through signed agreements, such as service level agreements, outlining the business associate's liability in the event of non-compliance.

In summary, healthcare clearinghouses that process non-standard health information play a vital role in the healthcare industry by facilitating the exchange of information between providers and payers. They ensure data accuracy and security while streamlining the claims process. To maintain HIPAA compliance, these clearinghouses must adhere to strict standards for handling and protecting sensitive health information.

lawshun

Business associates of covered entities, including billing companies, companies administering health plans, and outside lawyers and accountants

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to business associates of covered entities. Business associates are organisations or individuals that perform work or activities on behalf of a covered entity that may involve the use or disclosure of protected health information. They are responsible for safeguarding protected health information.

Covered entities include health plans, health care clearinghouses, and certain health care providers. Health plans include health insurance companies, HMOs, employer-sponsored health plans, and government programs that pay for health care, such as Medicare, Medicaid, and military and veterans' health programs. Health care clearinghouses include organisations that process non-standard health information to conform to standard formats on behalf of other organisations. Health care providers who submit HIPAA transactions electronically are covered.

Business associates of covered entities include billing companies, companies that administer health plans, and outside lawyers and accountants. These companies may need to access protected health information when providing services to the covered entity. For example, billing companies and health claims processors will need to access billing information. Companies that administer health plans may also need to access protected health information.

Covered entities must have contracts in place with their business associates. These contracts must ensure that business associates use and disclose health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors.

lawshun

Subcontractors of business associates

A business associate subcontractor agreement is a legally binding contract between a business associate of a covered entity and a business associate of that business associate. The latter, subcontractors of business associates, must promise to safeguard the electronic protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of the business associate.

By law, a business associate must ensure that any subcontractors it may engage on its behalf that will have access to protected health information will agree to the same restrictions and conditions that apply to the business associate with respect to such information. The same restrictions and conditions in the provider/business associate agreement that apply to the business associate must be listed in the business associate subcontractor BAA.

In the business associate subcontractor agreement, the business associate subcontractor must agree to the following:

  • Not use or disclose protected health information, other than as permitted or required by the subcontractor BAA, or as required by law.
  • Implement HIPAA Security Rule Safeguards – use appropriate safeguards and comply with the Security Rule provisions with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the BAA.
  • Report to the business associate any use or disclosure of protected health information not provided for by the business associate subcontractor agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware.
  • Ensure that any of its subcontractors that create, receive, maintain, or transmit protected health information on its behalf agree to the same restrictions, conditions, and requirements that apply to the subcontractor with respect to such information.
  • Make available protected health information in a designated record set to its business associate as necessary to satisfy a provider’s right of access obligations. They must also make any amendment(s) to protected health information in a designated record set as directed or agreed to by the provider.
  • Maintain and make available the information required to provide an accounting of disclosures of PHI, as necessary to satisfy covered entity’s or business associate’s accounting obligations.
  • Make their internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
  • Subcontractors of business associates are permitted to use or disclose PHI to third parties, under limited conditions. The business associate subcontractor agreement should therefore contain the following provisions: The subcontractor may use or disclose protected health information as required by law. The subcontractor business associate may use protected health information for the proper management and administration of the subcontractor business associate or to carry out the legal responsibilities of the subcontractor business associate.

Frequently asked questions

HIPAA applies to everyone as individuals as it gives them the right to inspect and request corrections to their personally identifiable health information. It also applies to certain types of organizations, including health plans, health care clearinghouses, and health care providers that transmit health information electronically.

Covered entities are individual or group plans that provide or pay the cost of medical care, including health, dental, vision, prescription, Medicare, or Medicaid organizations, and those who work within them.

Business associates are individuals or entities that carry out operations or responsibilities that involve using or disclosing protected health information, either on behalf of or as an agent of a covered entity. This could include people or organizations involved in billing, benefits management, quality assurance, or legal services.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment