Who Does HIPAA Apply To?

Who Does HIPAA Apply To?

Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs.

Does HIPAA Apply to Everybody?

The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans.

However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S. citizenship. When you include the relatively small section about protecting individually identifiable health information, one could claim HIPAA applies to everybody on the basis that health care consumers have responsibilities for understanding their privacy rights and authorizing disclosures of their protected health information. So let´s look at this section in greater detail.

HIPAA Title II, Subtitle F – the Administrative Simplification Provisions

Even when you extract the Administrative Simplification Provisions of HIPAA Title II, Subtitle F, from the rest of the Act, it is not clear who does HIPAA apply to. The introduction to this section states:

“It is the purpose of this subtitle to improve the Medicare program, the Medicaid program, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”.

The language used in the introduction has sometimes been interpreted to imply HIPAA applies only to organizations conducting electronic health transactions. Although it is clear any standards developed as a result of the Act are applicable to health plans, health care clearinghouses, and health care providers, further language within the Administrative Simplification Provisions reinforces the implication the Act only applies to “transactions to enable health information to be exchange electronically”.

It is only in the final subsection of the Administrative Simplification Procedures any reference is made to “standards with respect to the privacy of individually identifiable health information”. This subsection requires the Secretary of Health and Human Services to develop standards for the protection of patient health information – but only if Congress fails to do so within three years of the passage of HIPAA. Consequently, the first rule relating to Protected Health Information was not effective until 2003.

Rather than Who Does HIPAA Apply To, Who are HIPAA Covered Entities?

In the context of which organizations need to implement HIPAA compliance programs, the 2003 Privacy Rule was the first HIPAA-related document to use the term HIPAA Covered Entities. What wasn´t clear in the Department of Health and Human Services´ summary of the Privacy Rule was who covered entities are – listing those covered by the Privacy Rule as health plans, health care clearinghouses, and health care providers “who electronically transmit health information in connection with certain transactions”.

However, under the definition of what health information is protected, the HHS´ summary states that all individually identifiable health information held or transmitted by a covered entity in any form, whether electronic, paper, or oral is protected – thus making all health care providers subject to the regulations of the Privacy Rule regardless of how they create, share, transmit, or store individually identifiable health information. The requirement to protect health information also applies to Business Associates.  This implies that non-medical staff also need to receive HIPAA training.

What is a HIPAA Business Associate?

A HIPAA business associate is an individual or entity that is required to perform functions on behalf of a HIPAA-covered entity that involves the use or disclosure of protected heath information. Any business associate of a HIPAA-covered entity is required to sign a HIPAA-compliant business associate agreement – a contract that details the elements of HIPAA Rules that the business associate must comply with (See 45 CFR 164.504(e)).

Business associates are required to agree to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and access controls to prevent unauthorized access and disclosures. They must agree not to use PHI for any other purposes than the reasons why the information is disclosed. They must not disclose the information to any other individuals or entities (except subcontractors – see below). They must provide individuals with copies of their PHI on request, and must notify their covered entity of any breaches of protected health information.

Business associates include a wide range of individuals and entities, including companies that conduct data analysis, process claims, provide administrative services, quality assurance, billing, payment and collections services. Business associates also include accountants, consultants, attorneys, data storage firms, and data management companies. A more extensive list of business associates and explanation of the differences between a business associate and a covered entity are detailed here.

Does HIPAA Apply to Subcontractors of Business Associates?

HIPAA also applies to subcontractors of business associates. If a business associate of a HIPAA covered entity subcontracts any work to another entity, and that entity is required to access or use PHI to complete its contracted duties, HIPAA Rules must be followed. Therefore, business associates must also enter into a business associate agreement with their subcontractors. As with their covered entities, a signed BAA constitutes ‘satisfactory assurances’ that the subcontractor has been informed about HIPAA Rules and is aware of its responsibilities with respect to PHI.

Does HIPAA Apply to Researchers?

Employees of covered entities are not business associates, but what about researchers? Does HIPAA apply to researchers? HIPAA Rules allow covered entities to disclose PHI to researchers, provided that patients have authorized the use and disclosure of their PHI for research purposes. In such cases, PHI can be disclosed. A business associate agreement is not required, although covered entities must enter into a data use agreement with the researcher. The data use agreement provides satisfactory assurances that HIPAA Rules will be followed with respect to the limited data set provided.

Who Does HIPAA Apply To FAQs

What is a HIPAA compliance program?

A HIPAA compliance program consists of a start-to-finish compliance strategy encompassing everything from risk assessments and risk analyses to implementing safeguards to protect the security and integrity of PHI. Additionally a HIPAA compliance program includes employee training, an understanding of document retention requirements, and processes for identifying and reporting violations of HIPAA.

Does HIPAA apply to employees of covered entities and business associates?

Employees of covered entities and business associates should be required to comply with HIPAA under employers´ workplace policies. The policies should provide details of what sanctions for violations of HIPAA apply and the process for investigating violations of HIPAA. If no such policies exist, the employer is in violation of HIPAA.

What if an employee violates HIPAA by accident?

Covered entities and business associates have a requirement to assess the potential for accidental violations of HIPAA and implement measures to prevent reasonably anticipated violations. Naturally it is impossible to prevent every accidental violation, and the circumstances of each violation – along with an assessment of the damage caused – will determine the outcome of a violation investigation.

What is the Minimum Necessary Standard for disclosing protected health information?

Under the minimum necessary standard, covered entities and business associates are required to make reasonable efforts to ensure the disclosure of protected health information is limited to the minimum necessary to accomplish the intended purpose of a particular use or request. Exceptions to this requirement exist, and you can read more about them in this article.

Does HIPAA apply during public health emergencies?

If the President declares an emergency or disaster and the Secretary for Health and Human Services declares a public health emergency, enforcement action against non-compliant covered entities can be waived. However, the waiving of enforcement action will only relate to certain provisions of the Privacy Rule – not the Privacy Rule in its entirety.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.