HIPAA Questions: Who Does HIPAA Apply To?

Are you wondering if HIPAA applies to you or your workforce? Are you wondering to what degree is your personal health information protected? If that's the case, you're in the right place.

There is often confusion about who exactly falls under the purview of HIPAA. In this article, we will delve into the question of who HIPAA applies to and shed light on the entities and individuals that are subject to its regulations.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law enacted in the United States in 1996 to protect the privacy and security of individuals' health information. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as to their business associates, who handle or process protected health information (PHI) on their behalf.

Is All Medical Information Protected?

In short, no. HIPAA protects only that information held by identified healthcare entities. For instance, healthcare information on your iPhone or Fitbit would not be covered by HIPAA. Similarly, genetic data on sites like 23AndMe or Ancestry.com would not be covered either. Even apps that assist you in keeping your blood pressure regulated might not be covered. Other agreements or laws, such as privacy disclosures required on some apps, may secure your information, but HIPAA will not. Employers are not usually covered, and HIPAA does not apply to them. If necessary, to help others stay safe, your employer can share that you are ill with others. But for instance, the Americans with Disabilities Act may prevent disclosure of PHI about you.

Administrative Simplification Provisions

Either way, it's still not as clear who HIPAA applies to. Even when you examine the Administrative Simplification Provisions, it's still confusing. The language used in this provision has been interpreted to imply that HIPAA applies to electronic conduct. It's clear that all standards developed in the act apply to most healthcare entities. But further language within the provisions reinforces that the act applies to electronic transactions. It's only in the final section of the provisions that any reference was made to the standards on PHI privacy. This subsection requires the Secretary of HHC to enforce the defense of PHI, but only on the condition that Congress fails to do so in the first three years. This means that the state Congress has greater discretionary power when it comes to HIPAA enforcement. Nonetheless, this also means that the process will take a substantially longer time because of the collective involvement. It takes a big team to make a decision this grandiose. Big decisions come with a big responsibility, so it's no surprise that it takes time.

Can A Provider Be Required to Disclose Protected Health Information Without Permission?

Even though HIPAA has non-disclosure policies, there are exceptions to it. For instance, HIPAA allows covered entities to disclose patient data if it helps treat others. But also, for law enforcement reasons or to protect public health. Other exceptions apply during pandemics as well. For example, health facilities might have access to data in a region that's positive for a virus. HIPAA and other laws require them not to release information that is not needed to keep others safe. Health departments will provide notifications on how many individuals have tested positive as well as how many became hospitalized, but they are not able to release the names to the public. Health contact tracers may reveal identities if it's required to alert specific individuals that they were exposed to the virus. HIPAA covers any regular John as much as it covers us. It might be for the greater good to know about their health, but health providers can only provide so much as to not expose any more than he allowed to share. They cannot say something that's not true even though they can choose to omit information if necessary.

HIPAA Answers: Who Are Covered Entities?

Under HIPAA, covered entities are defined as specific types of organizations or individuals that are subject to the privacy and security provisions of the law. The following are the main categories of covered entities:

Healthcare Providers

This includes healthcare professionals, such as doctors, nurses, chiropractors, psychologists, and hospitals, as well as medical clinics, nursing homes, pharmacies, and other healthcare facilities that provide medical services and handle PHI.

Health Plans

Health plans encompass various entities that provide or pay for medical coverage, including health insurance companies, HMOs (Health Maintenance Organizations), employer-sponsored health plans, government programs (such as Medicare and Medicaid), and certain types of health benefit programs.

Healthcare Clearinghouses

Healthcare clearinghouses are entities that process or facilitate the electronic submission of healthcare claims or other transactions. They may receive non-standardized data from various sources and convert it into standardized formats for further processing.

Who Are HIPAA Business Associates?

A business associate under HIPAA is an entity or individual that is required to perform activities on behalf of the covered entity. Specifically, those that include the disclosure or use of PHI. Any business associate is required to sign a business HIPAA-compliant agreement. Business associations cover a wide variety of entities and individuals, including process claims, administrative service providers, billing, payment, collection providers, quality assurance, and data analysis. They can also include consultants, accountants, data storage agencies, attorneys, and data management firms. This list is not extensive, so it's important to cover the role of subcontractors in HIPAA as well. This means that HIPAA does apply to subcontractors of associates. If a business associate of a covered entity contracts work to other entities, and that entity has to use or access PHI to complete their jobs, HIPAA requires compliance. Thus, business associates must also enter into an agreement with their subcontractors. A signed business associate agreement ensures the satisfaction of the subcontractor being informed, as well as the fact that they are aware of their responsibilities regarding PHI.

Are Researchers Covered Under HIPAA?

So, if employees of covered entities are not associates in business and subcontractors are covered under HIPAA, what about researchers? Well, HIPAA rules do allow the covered entity to share PHI with researchers. Suppose the patients have authorized use and disclose information for purposes of research. In such instances, PHI is shareable. A business associate agreement does not have to exist, although covered entities do have to have a data use agreement. This agreement provides satisfaction for the fact that HIPAA complies with the limited set of data provided.

Is HIPAA Applicable In Public Health Emergencies?

If a president declares a disaster or emergency of immediacy, and the Secretary for Health and Human Services declares it a public health emergency, enforcement against non-compliance of covered entities is waivable altogether. But the waiving of enforceable action will is not related to some provisions of the Privacy Rule. Meaning not the rule in its totality. For recent and updated HIPAA information in regards to global events, visit the official HHS website to read through it. Lots of new information is usually excluded from HIPAA training agencies or courses. So make sure that you're carefully selecting who will be providing the information for you.

Does HIPAA Require Encryption?

HIPAA does not explicitly require the use of encryption, but it does consider encryption as an addressable implementation specification under the Security Rule. This means that covered entities and business associates are required to assess the potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI) and determine whether encryption is reasonable and appropriate in their specific circumstances. If encryption is deemed appropriate, its use is encouraged as a safeguard to protect ePHI. However, covered entities have flexibility in selecting alternative measures if encryption is not reasonable and appropriate for their environment.

Does HIPAA Apply to Minors?

Yes, HIPAA applies to the PHI of anyone, regardless of their age. Minors have the same privacy rights and protections as adults under HIPAA. Healthcare providers and other covered entities must comply with HIPAA regulations when handling and disclosing PHI, including that of minors. However, there are certain situations where parental or guardian consent may be required or specific rules for disclosing information related to minors, such as psychotherapy notes or substance abuse treatment records.

Is HIPAA International?

HIPAA is a United States federal law, and its jurisdiction is primarily within the United States. However, as healthcare data can be transmitted across international borders, there may be some implications for international entities that handle or process PHI from the United States. These entities, referred to as business associates under HIPAA, are required to enter into agreements with covered entities to ensure compliance with HIPAA's requirements when handling PHI. Additionally, international organizations that interact with U.S.-based healthcare entities or exchange health information with them may need to consider the privacy and security requirements of HIPAA in their data handling practices to ensure compliance. It's important to note that other countries may have their own data protection and privacy laws that apply to health information, such as the General Data Protection Regulation (GDPR) in the European Union.

Does HIPAA Certification Expire?

HIPAA does not provide for a specific certification process or require organizations to obtain HIPAA certification. Instead, HIPAA sets forth standards and requirements that covered entities and business associates must meet to protect the privacy and security of health information. Compliance with HIPAA is an ongoing responsibility, and organizations are expected to maintain and regularly review their practices to ensure continued compliance. While there is no expiration for a HIPAA certification, organizations may undergo periodic audits or assessments to validate their compliance with HIPAA requirements.

HIPAA Compliance Made Easy

Now that you have discovered the vetted HIPAA answers that make compliance easier, you are that much closer to ensuring that you and your associates are HIPAA compliant. Yet, it can still be difficult to determine who is subject to coverage and who is not. If you're having trouble navigating the complicated legislation of HIPAA, you might find great use in our compliance courses and HIPAA training.

Whether you’re a healthcare worker, or a business associate, we make getting your HIPAA certification easy. Enroll today!