Who Does HIPAA Apply To?
HIPAA applies to everyone as individuals inasmuch as everyone has personally identifiable health information that they have the right to inspect and request corrections when errors or omissions exist. HIPAA can also apply to certain types of organization depending on which section of HIPAA you review.
Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs.
Does HIPAA Apply to Everybody?
The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans.
However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S. citizenship. When you include the relatively small section about protecting individually identifiable health information, one could claim HIPAA applies to everybody on the basis that health care consumers have responsibilities for understanding their privacy rights and authorizing disclosures of their protected health information. So let´s look at this section in greater detail.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Title II, Subtitle F – the Administrative Simplification Provisions
Even when you extract the Administrative Simplification Provisions of HIPAA Title II, Subtitle F, from the rest of the Act, it is not clear who does HIPAA apply to. The introduction to this section states:
“It is the purpose of this subtitle to improve the Medicare program, the Medicaid program, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”.
The language used in the introduction has sometimes been interpreted to imply HIPAA applies only to organizations conducting electronic health transactions. Although it is clear any standards developed as a result of the Act are applicable to health plans, health care clearinghouses, and health care providers, further language within the Administrative Simplification Provisions reinforces the implication the Act only applies to “transactions to enable health information to be exchange electronically”.
It is only in the final subsection of the Administrative Simplification Procedures any reference is made to “standards with respect to the privacy of individually identifiable health information”. This subsection requires the Secretary of Health and Human Services to develop standards for the protection of patient health information – but only if Congress fails to do so within three years of the passage of HIPAA. For this reason, the first rule relating to Protected Health Information was not effective until 2003.
Rather than Who Does HIPAA Apply To, Who are HIPAA Covered Entities?
In the context of which organizations need to implement HIPAA compliance programs, the 2003 HIPAA Privacy Rule was the first HIPAA-related document to use the term HIPAA covered entities. What wasn’t clear in the Department of Health and Human Services´ summary of the Privacy Rule was who covered entities are – listing those covered by the HIPAA Privacy Rule as health plans, health care clearinghouses, and health care providers “who electronically transmit health information in connection with certain transactions”.
However, under the definition of what health information is protected, the HHS summary states that all individually identifiable health information held or transmitted by a covered entity in any form, whether electronic, paper, or oral is protected – thus making all health care providers subject to the regulations of the Privacy Rule regardless of how they create, share, transmit, or store individually identifiable health information. The requirement to protect health information also applies to business associates. This implies that non-medical staff also need to receive HIPAA training.
What is a HIPAA Business Associate?
A HIPAA business associate is an individual or entity that provides services to or perform functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected heath information. Any business associate of a HIPAA-covered entity is required to sign a HIPAA-compliant business associate agreement – a contract that details the elements of HIPAA Rules that the business associate must comply with (See 45 CFR 164.504(e)).
Business associates are required to agree to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and access controls to prevent unauthorized access and disclosures. They must agree not to use PHI for any other purposes than the reasons why the information is disclosed to them. They must not disclose the information to any other individuals or entities (except subcontractors – see below). They must provide individuals with copies of their PHI on request, and must notify their covered entity of any breaches of protected health information.
Business associates include a wide range of individuals and entities, including companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services. Business associates also include accountants, consultants, attorneys, data storage firms, and data management companies. A more extensive list of business associates and explanation of the differences between a business associate and a covered entity are detailed here.
Does HIPAA Apply to Subcontractors of Business Associates?
HIPAA also applies to subcontractors of business associates. If a business associate of a HIPAA covered entity subcontracts any HIPAA-regulated duties to another entity, and that entity is required to access or use PHI to complete its contracted duties, HIPAA Rules must be followed. In these circumstances, business associates must also enter into a business associate agreement with their downstream subcontractors. As with their covered entities, a signed BAA constitutes ‘satisfactory assurances’ that the subcontractor has been informed about HIPAA Rules and is aware of its responsibilities with respect to PHI.
Does HIPAA Apply to Researchers?
Employees of covered entities are not business associates, but what about researchers? Does HIPAA apply to researchers? HIPAA Rules allow covered entities to disclose PHI to researchers, provided that patients have authorized the use and disclosure of their PHI for research purposes, or the PHI is de-identified. In such cases, PHI can be disclosed. A business associate agreement is not required, although covered entities must enter into a data use agreement with the researcher. The data use agreement provides satisfactory assurances that HIPAA Rules will be followed with respect to the limited data set provided.
Who Does HIPAA Apply To FAQs
What is a HIPAA compliance program?
A HIPAA compliance program consists of a start-to-finish compliance strategy encompassing everything from risk assessments and risk analyses to implementing safeguards to protect the security and integrity of PHI. A HIPAA compliance program includes workforce training, an understanding of document retention requirements, and processes for identifying and reporting violations of HIPAA.
Does HIPAA apply to employees of covered entities and business associates?
Employees of covered entities and business associates should be required to comply with HIPAA under employers’ workplace policies. The policies should provide details of what sanctions for violations of HIPAA apply and the process for investigating violations of HIPAA. If no such policies exist, the employer is in violation of HIPAA.
What if an employee violates HIPAA by accident?
Covered entities and business associates have a requirement to assess the potential for accidental violations of HIPAA and implement measures to prevent reasonably anticipated violations. Naturally it is impossible to prevent every accidental violation, and the circumstances of each violation – along with an assessment of the damage caused – will determine the outcome of a violation investigation.
What is the Minimum Necessary Standard for disclosing protected health information?
Under the minimum necessary standard, covered entities and business associates are required to make reasonable efforts to ensure the disclosure of protected health information is limited to the minimum necessary to accomplish the intended purpose of a particular use or request. Exceptions to this requirement exist, and you can read more about them in this article.
Does HIPAA apply during public health emergencies?
If the President declares an emergency or disaster and the Secretary for Health and Human Services declares a public health emergency, enforcement action against non-compliant covered entities can be waived. However, the waiving of enforcement action will only relate to certain provisions of the HIPAA Privacy Rule – not the HIPAA Privacy Rule in its entirety.
Where is HIPAA used?
HIPAA is used throughout the U.S. unless a state law has more stringent privacy protections or greater individual rights. In such cases the state law – or the part of it with more stringent privacy protections – takes HIPAA’s place. HIPAA can also apply internationally when a covered entity or business associate shares PHI with an overseas third party. In this scenario, the overseas third party becomes a business associate and must comply with applicable HIPAA Rules.
What companies does HIPAA apply to?
HIPAA applies to health plans, health care clearinghouses, qualifying healthcare providers, and business associates that provide a service for or on behalf of a covered entity. HIPAA also applies in part to vendors of personal health records inasmuch as data breaches must be reported to the Federal Trade Commission under the Health Breach Notification Rule.
Who must comply with HIPAA?
Not only must the companies to whom HIPAA applies comply with HIPAA, but also the workforces of these companies through the policies and procedures implemented by the companies to comply with HIPAA. “Workforces” not only includes company employees, but also any volunteer, intern, student, or contractor under the direct control of the company regardless of if they are paid by the company for the services they provide.
