Are senior care facilities covered entities under HIPAA?

Not every senior care facility is a covered entity, but those that provide medical care and handle protected health information (PHI) must adhere to HIPAA regulations.

What are covered entities?

The Health Insurance Portability and Accountability Act (HIPAA) defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who share PHI for specific transactions, like billing or insurance claims. These entities must comply with HIPAA’s Privacy, Security, and Breach Notification Rules.

Go deeper: A guide to HIPAA's rules

What does HIPAA say about senior care facilities?  

HIPAA compliance is not a blanket requirement for all senior care facilities. Legal services firm Davis Wright Tremaine, LLP explains, “Typically, it depends on if the senior care facility is also a legal entity with a hospital or other healthcare provider.” 

Senior care facilities that are exempt from HIPAA

Facilities offering only non-medical support, like daily living assistance or social services, are not automatically covered entities under HIPAA. 

However, if they partner with or transmit health information to covered entities (e.g., hospitals or insurance providers), they are considered business associates and bound by HIPAA.

In such cases, these facilities must sign a business associate agreement (BAA) with the covered entity. The BAA legally binds the facility to comply with HIPAA’s provisions for safeguarding PHI.

HIPAA-covered senior care facilities 

If a senior care facility offers healthcare services, like skilled nursing homes or assisted living centers with medical staff, to manage chronic conditions and administer medications, it is a covered entity. 

Facilities that electronically bill insurance companies, Medicare, or Medicaid for healthcare services are also covered entities under HIPAA.

As a covered entity, the facility must:

• Implement privacy policies: Develop and enforce policies to safeguard residents' PHI.
• Improve cybersecurity: Using a HIPAA compliant solution, like Paubox, secures residents' PHI through encryption, access controls, and other advanced security measures. Moreover, it helps senior care facilities avoid the legal repercussions of potential data breaches.
• Train employees: Provide regular HIPAA training so staff know how to identify and prevent data breaches.
• Establish breach notification protocols: Create a process for reporting data breaches to residents, the Department of Health and Human Services (HHS), and, in some cases, the media.

Read also: Enhancing elderly healthcare with HIPAA compliant emails

FAQs

What makes an email HIPAA compliant?

Providers must use a HIPAA compliant email solution, like Paubox, which uses encryption, access controls, and authentication measures to protect patient privacy.

Additionally, providers must obtain explicit patient consent, limit protected health information (PHI) to what is necessary for patient care, and train staff on sending HIPAA compliant emails.

Can HIPAA compliant emails include medical images?

Yes, Paubox email automatically encrypts images and attachments, protecting PHI during transmission and at rest.

What should a covered entity do after discovering a data breach?

Covered entities must contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and investigate how the breach occurred and how to prevent future incidents.