HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, such as third-party service providers that handle protected health information (PHI) on their behalf. Both covered entities and business associates are responsible for protecting patient information and complying with the HIPAA Privacy and Security Rules.
HIPAA was enacted in 1996 to safeguard sensitive health information, improve healthcare portability, and ensure the privacy and security of patient data. The two primary rules of HIPAA that apply to healthcare organizations and their partners are the Privacy Rule and the Security Rule. According to the HHS, "A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected health information may be used or disclosed by covered entities." Conversely, "the Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.". Covered entities and their business associates must comply with both of these HIPAA regulations.
The definition of a covered entity under HIPAA includes individuals or organizations engaged in the electronic creation, reception, maintenance, or transmission of PHI. Individuals included are:
Any individual or organization that provides healthcare services and transmits health information electronically falls under the definition of a healthcare provider, including doctors, hospitals, clinics, nursing homes, pharmacies, dentists, psychologists, and more. If a healthcare provider submits information electronically for tasks like insurance claims, they must comply with HIPAA. Healthcare providers are responsible for implementing safeguards to protect patient privacy and ensuring that their staff and systems are compliant.
Related: Do emails between providers need to be HIPAA compliant?
Health plans include organizations that provide or pay for medical care, such as health insurance companies, health maintenance organizations (HMOs), Medicare, Medicaid, and employer-sponsored health plans. Health plans collect and manage a large amount of PHI and must keep this information secure and only share it under the conditions outlined by HIPAA. These entities must also ensure that any third parties handling their data adhere to HIPAA’s strict privacy and security guidelines.
Read more: How does HIPAA define a health plan?
Clearinghouses process non-standard health information they receive from another entity into a standard format for electronic transmission. For example, a clearinghouse may process claims data on behalf of healthcare providers to ensure the information meets the required standards for submission to health plans. Like healthcare providers and health plans, clearinghouses must comply with HIPAA regulations to protect the data they handle.
In addition to covered entities, HIPAA applies to business associates. According to the HHS, "A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." Business associates can include IT service providers, cloud storage companies, billing and coding firms, law firms, accounting firms, and consultants. These entities are equally responsible for safeguarding PHI under HIPAA.
A required aspect of this relationship is the business associate agreement (BAA), which must be signed between the covered entity and any business associate before sharing PHI. The BAA outlines the responsibilities of both parties regarding HIPAA compliance, ensuring the business associates will implement appropriate safeguards to protect PHI. Without a BAA in place, a covered entity can be held liable for any mishandling of PHI by its business associate.
The Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA, and organizations found to be non-compliant can face fines ranging from $100 to $50,000 per violation, depending on the severity of the infraction. In some cases, criminal penalties and civil lawsuits may also be applicable.
HIPAA defines PHI as "all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral."
Research institutions are subject to HIPAA if they handle PHI as part of their studies. They must ensure that any data used for research is de-identified or used with proper authorization.
Yes, HIPAA applies to telehealth services just like in-person care. Telehealth providers must ensure that any electronic communication of PHI is secure and compliant with HIPAA’s privacy and security rules.