HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, such as third-party service providers that handle protected health information (PHI) on their behalf. Both covered entities and business associates are responsible for protecting patient information and complying with the HIPAA Privacy and Security Rules.
A brief overview of HIPAA
HIPAA was enacted in 1996 to safeguard sensitive health information, improve healthcare portability, and ensure the privacy and security of patient data. The two primary rules of HIPAA that apply to healthcare organizations and their partners are the Privacy Rule and the Security Rule. According to the HHS, "A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected health information may be used or disclosed by covered entities." Conversely, "the Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.". Covered entities and their business associates must comply with both of these HIPAA regulations.
Covered entities under HIPAA
The definition of a covered entity under HIPAA includes individuals or organizations engaged in the electronic creation, reception, maintenance, or transmission of PHI. Individuals included are:
Healthcare providers
Any individual or organization that provides healthcare services and transmits health information electronically falls under the definition of a healthcare provider, including doctors, hospitals, clinics, nursing homes, pharmacies, dentists, psychologists, and more. If a healthcare provider submits information electronically for tasks like insurance claims, they must comply with HIPAA. Healthcare providers are responsible for implementing safeguards to protect patient privacy and ensuring that their staff and systems are compliant.
Related: Do emails between providers need to be HIPAA compliant?
Health plans
Health plans include organizations that provide or pay for medical care, such as health insurance companies, health maintenance organizations (HMOs), Medicare, Medicaid, and employer-sponsored health plans. Health plans collect and manage a large amount of PHI and must keep this information secure and only share it under the conditions outlined by HIPAA. These entities must also ensure that any third parties handling their data adhere to HIPAA’s strict privacy and security guidelines.
Read more: How does HIPAA define a health plan?
Healthcare clearinghouses
Clearinghouses process non-standard health information they receive from another entity into a standard format for electronic transmission. For example, a clearinghouse may process claims data on behalf of healthcare providers to ensure the information meets the required standards for submission to health plans. Like healthcare providers and health plans, clearinghouses must comply with HIPAA regulations to protect the data they handle.
Business associates and HIPAA compliance
In addition to covered entities, HIPAA applies to business associates. According to the HHS, "A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." Business associates can include IT service providers, cloud storage companies, billing and coding firms, law firms, accounting firms, and consultants. These entities are equally responsible for safeguarding PHI under HIPAA.
A required aspect of this relationship is the business associate agreement (BAA), which must be signed between the covered entity and any business associate before sharing PHI. The BAA outlines the responsibilities of both parties regarding HIPAA compliance, ensuring the business associates will implement appropriate safeguards to protect PHI. Without a BAA in place, a covered entity can be held liable for any mishandling of PHI by its business associate.
HIPAA compliance responsibilities of covered entities and business associates
- Shared responsibility for protecting patient data: Covered entities and business associates must protect patient data by implementing physical and technical safeguards.
- Physical and technical safeguards: These include access controls, data encryption, regular risk assessments, and employee training to prevent unauthorized access or data breaches.
- Minimum necessary standard: Covered entities are required to disclose only the minimum amount of PHI necessary for any given purpose, ensuring data is not unnecessarily shared or exposed.
Consequences of non-compliance
The Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA, and organizations found to be non-compliant can face fines ranging from $100 to $50,000 per violation, depending on the severity of the infraction. In some cases, criminal penalties and civil lawsuits may also be applicable.
FAQs
What is PHI under HIPAA?
HIPAA defines PHI as "all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral."
Are research institutions subject to HIPAA regulations?
Research institutions are subject to HIPAA if they handle PHI as part of their studies. They must ensure that any data used for research is de-identified or used with proper authorization.
Does HIPAA apply to telehealth services?
Yes, HIPAA applies to telehealth services just like in-person care. Telehealth providers must ensure that any electronic communication of PHI is secure and compliant with HIPAA’s privacy and security rules.
Liyanda Tembani
