If you are a health plan, health care clearinghouse, or health care provider, you are a HIPAA Covered Entity (CE). If health plans or health care providers use services of other persons or businesses-business associates (BAs)-to carry out health care activities and functions, the HIPAA Privacy Rule allows CEs to disclose protected health information (PHI) to these BAs if:
- The CE obtains satisfactory assurance from the BA that the PHI will only be used for purposes for which CE engaged BA.
- Satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the CE and the BA. (BA Agreement).
- The BA will safeguard the PHI from misuse.
- The BA will assist the CE comply with duties under the Privacy Rule.
- CE may not disclose PHI to a BA for the BA's independent use or purposes, except as needed for the proper management and administration of the BA.
The world of healthcare is full of acronyms and regulations, and HIPAA is one of the most important ones to understand. But HIPAA, or the Health Insurance Portability and Accountability Act, is more than just a complex term. It's a set of rules that safeguard your most sensitive information: your health data.
But how does this legislation affect you? Whether you work directly in healthcare or simply seek to understand your rights in the digital age, the HIPAA Privacy Rule has implications worth exploring.
Who Is Covered by HIPAA?
First, let’s define who falls under the umbrella of HIPAA. The rule primarily applies to two groups: covered entities and business associates.
Covered Entities
Covered entities include healthcare plans, health clearinghouses, and healthcare providers who transmit health information electronically.
- Health plans: Health maintenance organizations (HMOs), employer-sponsored health insurance companies, health plans, and government-backed programs that pay for healthcare, such as Medicaid and Medicare.
- Healthcare clearinghouses: Organizations that take health information in various formats from one source and convert it into a standard format or take standard format information and convert it into a different format before sending it to another party.
- Healthcare providers: Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
Business Associates
Business associates are people or companies that work with or provide services to a covered entity and need to access, use, or share a patient's protected health information (PHI) to do their job. Examples of business associates include:
- Third-party administrators
- Legal services
- Accounting and billing firms
- IT contractors
- Companies that house or dispose of medical records
Covered entities must have written contracts or other arrangements with their business associates to ensure that the business associates safeguard PHI appropriately.
What Is Protected Health Information (PHI)?
Protected Health Information (PHI) is any health-related information that a covered entity or a business associate has about you. This information can be about your past, current, or future mental or physical health, the healthcare services provided to you, or the payment for your healthcare.
PHI includes a wide range of identifiers, such as names, addresses, dates of birth, social security numbers, and medical record numbers, that can distinguish an individual.
Individually Identifiable Health Information
PHI can be in any form, including physical records, electronic records, or spoken information. Any identifiable health data that a covered entity or business associate creates, receives, stores, or transmits is considered PHI and is protected under the HIPAA Privacy Rule. This includes demographic information, test results, medical histories, insurance information, and supplementary information for healthcare identification and service administration.
HIPAA Rights
As a patient, you have several rights under the HIPAA Privacy Rule. You can ask to review and retrieve a copy of your medical records, request changes if you believe something is incorrect or incomplete, and receive a notice that explains how your health information may be used and shared. If you feel your privacy rights have been violated, you also have the right to file a complaint.
When Does HIPAA Apply?
The HIPAA Privacy Rule Governs How Covered Entities and Their Business Partners Handle and Share PHI. This includes sharing PHI for treatment, payment, healthcare operations, and specific other permitted uses and disclosures.
For treatment, this includes the provision, coordination, and management of healthcare and related services by various healthcare providers. Payment purposes involve activities such as determining eligibility for health insurance, billing, and collecting payment for healthcare services. Healthcare operations encompass a wide range of activities, including quality assessment and improvement, case management, and business planning.
When Does HIPAA NOT Apply?
There are some situations where the HIPAA Privacy Rule does not apply. While they may have health information about you, the following organizations are not required to follow HIPAA laws:
- The majority of schools and their districts
- Life insurers
- Employers
- Several law enforcement agencies
- Most municipal offices
- Carriers of worker’s compensation
- State agencies like Child Protective Services
- Auto insurers
Additionally, HIPAA does not apply to de-identified health information, which is health information that has been stripped of all identifiers that could be used to identify an individual. De-identified information can be used for research, public health, or healthcare operations purposes without the need for individual authorization.
HIPAA Exams: Your Guide to Compliance
Medical professionals must endeavor to understand the HIPAA Privacy Rule to ensure the proper handling of patients' personal health information. By familiarizing yourself with whom HIPAA covers, what constitutes PHI, your rights under HIPAA, and when the Privacy Rule does and does not apply, you can better protect your patients' privacy and maintain compliance with federal regulations.
To stay current on your HIPAA compliance training and ensure your practice is adhering to the latest guidelines, consider utilizing the services of HIPAA Exams. We offer comprehensive training courses, resources, and support to help you maintain the highest privacy and security standards for your patients' PHI. Head to our website to get started today!