HIPAA 101 for Accountants

HIPAA for 101 accountants  – doesn’t sound like there’s much to write about that, at first blush. HIPAA 101 for accountants can’t mean “At a 101 level, accountants are subject to HIPAA because accountants are covered entities.” Covered entities include healthcare providers, health plans, and healthcare clearinghouses – not accountants or accounting firms. So, what could HIPAA 101 for accountants possibly consist of?

HIPAA 101 for Accountants: Accountants as Business Associates

Covered entities are not the only entities that must comply with HIPAA. Business associates of covered entities must also comply with HIPAA.

When a business associate carries out a covered entity’s obligations under the HIPAA Privacy Rule, the business associate must comply with the same requirements of the Privacy Rule that apply to the covered entity in the performance of these obligations.

In addition, business associates are subject to the entirety of the HIPAA Security Rule. 

Accountants perform a variety of services for covered entities. These services include:

• Auditing a healthcare organization’s healthcare records
• Tracking treatment invoices to monitor a patient’s co-payments, deductibles, or out-of-pocket expenses
• Monitoring payments provided by health insurers 
• Writing off patient bills

Any accounting firm that provides such services to a healthcare provider, AND receives or maintains PHI as part of providing these services, is considered a business associate under HIPAA. 

If an accountant or accounting firm provides services to a covered entity that do NOT involve the use or disclosure of protected health information (or electronic protected health information), the accountant is not a business associate.  

What are Accountants’ Responsibilities under HIPAA?

In addition to the general requirement of compliance with the HIPAA Privacy and HIPAA Security rules, accountants that seek to act as business associates of covered entities must enter into specific business associate agreements with these covered entities. In the agreement, the covered entity must impose specified written safeguards on the PHI used or disclosed by its business associates.

There are a number of ways in which an accountant business associate receives, maintains, transmits, uses, or discloses PHI. Just a few of these include: 

• PHI may come into the possession of an accountant or CPA business associate who provides litigation support services.
  • Litigation in which account support services is often required, includes divorce litigation as well as litigation brought by or against a healthcare provider.
• Accountants who test audit controls as part of following audit procedures, may receive PHI or ePHI.  
• A covered entity may mention something to the accountant about the provision of healthcare to a specific individual. In so doing this, the covered entity has transmitted PHI, and the business associate has received it. 
• An accountant can also come into contact with PHI while consulting with a provider about financial matters such as revenue cycles and revenue streams.

Furthermore, under HIPAA, a subcontractor of a business associate, is itself a business associate. This means that if an accounting firm uses independent contractors that have access to PHI, the accounting firm must enter into a business associate agreement with the independent contractor.