HIPAA Answers: Who Does HIPAA Apply To?Greg Garner
Are you wondering if HIPAA applies to you or your workforce? Are you wondering to what degree is your personal health information protected? If that’s the case, you’re in the right place.
In essence, HIPAA has a certain set of parameters that determine if an entity is a “Covered Entity”. Meaning that HIPAA applies to them in full scope. Even though a covered entity must be fully compliant with HIPAA to avoid violations. Some exceptions make disclosure and use of PHI accepted.
In this segment of HIPAA answers, we will cover who is a covered entity under HIPAA. But also some specific scenarios that apply to these potential exclusions that make disclosure and use of PHI accepted.
Whenever you’re ready to ensure your HIPAA awareness is up-to-date, keep reading.
What Is HIPAA?
HIPAA, also known as the Health Insurance Portability and Accountability Act is an enforced federal law from 2003. The need for this law has proposed when medical records of public figures went on sale to tabloids for paparazzi purposes.
People worried about their genetic privacy as well. Congress recognized that the internet would make it easy for these health care privacy concerns to rising to the top of many breaches.
This law prohibits health care businesses and providers from working with them. This includes pharmacies. And laboratories, administrative staff, health insurers from disclosing health information without given permission.
This includes information about sickness symptoms and test results. But there are some exceptions.
The HIPAA act is a serious body of legislation. And as the title suggests, it addresses the accountability and portability of covered entities. As to providing benefits when members covered by such entities have pre-existing conditions.
In this understanding, HIPAA applies to most workers. But also employers who co-sponsor or sponsor health insurance plans. As well as most health insurance providers. HIPAA consists of four other rules from medical liability to expatriate taxes.
When you include the other sections about protecting PHI, one can claim HIPAA applies to all. This is based on consumers having a responsibility to understand disclose and privacy rights.
Is All Medical Information Protected?
In fact, no. HIPAA protects only that information held by identified health care entities. For instance, health care information on your iPhone or Fitbit would not be covered by HIPAA. Similarly, genetic data on sites like 23AndMe or Ancestry would not be covered either.
Even apps that assist you in keeping your blood pressure regulated might not be covered. Given that, you are not using them under the guise of your health provider. Other agreements or laws, such as privacy disclosure required on some apps may secure your information. But HIPAA will not.
Employers are not usually covered and HIPAA does not apply to them. If necessary to help others stay safe, your employer can share that you are ill with others. But for instance, the Americans with Disabilities Act may prevent disclosure of PHI about you.
Administrative Simplification Provisions
Either way, it’s still not as clear who does HIPAA apply to. Even when you examine the Administrative Simplification Provisions, it’s still confusing. The language used in this provision has been interpreted to imply that HIPAA applies to electronic conduct.
It’s clear that all standards developed in the act apply to most healthcare entities. But further language within the provisions reinforces that the Act applies to electronic transactions.
It’s only in the final section of the provisions that any reference was made to the standards on PHI privacy.
This subsection requires the Secretary of HHC to enforce the defense of PHI. But only under the condition that Congress fails to do so in the first three years.
This means that the state Congress has greater discretionary power when it comes to HIPAA enforcement. Nonetheless, this also means that the process will take a substantially longer time because of the collective involvement.
It takes a big team to make a decision of this grandiose. Big decisions come with a big responsibility, so it’s no surprise that it takes time.
Can A Provider Be Required to Disclose Protected Health Information Without Permission?
Even though HIPAA has non-disclosure policies, there are exceptions to it. For instance, HIPAA allows covered entities to disclose patient data if it helps treat others. But also for law enforcement reasons, or to protect public health.
Other exceptions apply during pandemics as well. For example, while health facilities might have access to data in a region that’s positive for a virus. HIPAA and other laws require them to not release information that is not needed to keep others safe.
Health departments will provide notify on how many individuals have tested positive. As well as how many became hospitalized, but they are not able to release the names to the public. Health contact tracers may also reveal identities if it’s required. As to alert specific individuals that they were exposed to the virus.
HIPAA covers any regular John as much as it does cover us. It might be for the greater good to know about their health.
But health providers can only provide so much as to not expose any more than he allowed to share. They cannot say something that’s not true. Even though they can choose to omit information if necessary.
HIPAA Answers: Who Are Covered Entities?
Going further with our HIPAA answers, in consideration of the entities that have to integrate HIPAA compliance into their work environment. The Privacy Rule generated in 2003 was the first HIPAA document to use the terminology of “Covered Entities”.
What was not clear in the Health and Human Services Department was who the covered entities were. Listing those covered by the Rule as health clearinghouses and health plans. Health care providers who send health information electronically apply too.
But under the definitions of what health data is subject to security, the HHS states that all individually identifiable health information that passes transmission or hold. Whether it’s oral, paper, or electronic, it’s protected.
Thus, making all the health providers subject to the Privacy Rule. No matter how they share, create, send or secure PHI.
Business associates and employees of covered entities should have the rule to follow HIPAA under the workplace policies for employees.
These policies should outline what the sanctions are for HIPAA violations. But also how the process for investigation of these violations will occur. If these policies do not exist, the employer is violating HIPAA.
BAs and CEs have an obligation to assess the potential of an accidental violation. And they must install reasonable measures to prevent anticipated violations.
Yet, it’s impossible to prevent all accidental violations. As well as the circumstances of the violations. But an assessment of caused damage will assist in determining the outcome of a violation investigation.
Who Are HIPAA Busines Associates?
A business associate under HIPAA is an entity or individual that is required to perform activities on behalf of the covered entity. Specifically, those that include the disclosure or use of PHI.
Any business associate is required to sign a business HIPAA-compliant agreement. The contract having to describe the HIPAA elements that the associate is to follow.
Business associations must agree to install safeguards to protect integrity and confidentiality. As well as the availability of PHI. As well as access controls to prevent disclosure or unauthorized access.
They must accept that they cannot use PHI for all other purposes. Reasons outside of those why they disclose information in the first place.
They, must not disclose the data to other entities or individuals (subcontractors excluded). They must provide individuals with PHI copies upon request and have to notify the covered identity of PHI breaches.
Business associations cover a wide variety of entities and individuals, including process claims. But also administrative service providers, billing, payment, collection providers, quality assurance, data analysis. They can also include consultants, accountants, data storage agencies, attorneys, data management firms.
This list is not extensive, so it’s important to cover the role of subcontractors in HIPAA as well. This means that HIPAA does apply to subcontractors of associates. If a business associate of a covered entity contracts work to other entities, and that entity has to use or access PHI to complete their jobs, HIPAA requires compliance.
Thus, business associates must also enter an agreement with their subcontractors. A signed BAA ensures the satisfaction of the subcontractor being informed. As well as the fact that they are aware of their responsibilities in regards to PHI.
Are Researchers Covered Under HIPAA?
So if employees of covered entities are not associates in business. And subcontractors are covered under HIPAA. What about researchers?
Well, HIPAA rules do allow the covered entity to share PHI with researchers. If the patients have authorized use and disclose information for purposes of research.
In such instances, PHI is shareable. A business associate agreement does not have to exist. Albeit, covered entities do have to have a data use agreement. This agreement provides satisfaction for the fact that HIPAA complies with the limited set of data provided.
Is HIPAA Applicable In Public Health Emergencies?
If a president declares a disaster or emergency of immediacy, and the Secretary for Health and Human Services declares it as a public health emergency. Enforcement against non-compliance of covered entities is waivable altogether.
But, the waiving of enforceable action will is not related to some provisions of the Privacy Rule. Meaning not the rule in its totality.
For recent and updated HIPAA information in regards to global events, visit the official HHS website to read through it. Lots of new information is usually excluded from HIPAA training agencies or courses. So make sure that you’re carefully selecting who will be providing the information for you.
Tips for Being HIPAA Compliant
Covered entities and business associates must ensure that some administrative practices and systems enforce HIPAA compliance. Staff must routinely train in all policies, standards, and procedures. They are also required to attest that they are trained fully.
Furthermore, for compliance, entities must ensure that all data is secure. This includes the integration of technical safeguards, such as EPHI restrictions. Primarily requiring identity verification with unique methods of identification like tokenization and encryption. But also monitoring hardware and access logs for activity, using HIPAA-email services, etc.
But it also includes physical safeguards, such as access restrictions to buildings. But also the implementation of procedures for information disposal, and social media use.
According to the security rule, a risk analysis must be a continual process. In it, the entity reviews the records to detect security concerns and track e-PHI access. They also assess the security measures and what risks are evident to PHI.
To follow these requirements, HIPAA entities must perform annual audits to identify gaps and problems in the security standard implementations. These audits should cover physical security and administrative practices. But also technical security measures deployed by the organization to achieve HIPAA ordinance.
HIPAA Compliance Made Easy
Now that you have discovered the vetted HIPAA answers that make compliance easier. You are that much closer to ensuring that you and your associates are HIPAA compliant.
Yet, it can still be difficult to determine who is subject to coverage and who is not. If you’re having trouble navigating the complicated legislation of HIPAA. You might find great use in your compliance courses and HIPAA training.
If you’re interested, get in touch with us. We will happily set you up with some learning material that will help your HIPAA compliance.