Is Your Business Subject to HIPAA: A Step-by-Step Guide to Determine the Answer
The question of “Is your business subject to HIPAA” can be answered by a step-by-step analysis, which is shown below.
Step 1: Does Your Business Create, Receive, Store, or Maintain Protected Health Information?
Under the HIPAA regulations, the security and privacy of patient protected health information must be maintained. Protected health information is defined as health data created, received, stored, or transmitted by HIPAA-covered entities (health care providers, health plans, and healthcare clearinghouses) and their business associates, in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.
Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.
For health information to be considered to be PHI and protectable under HIPAA, it must:
- Be personally identifiable healthcare information;
- Relate to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual;
- Be created or received by a covered entity; and
- Be transmitted or maintained in electronic media or any other form or medium with respect to a covered transaction.
Therefore, the mere mention of someone’s medical condition does not trigger HIPAA’s privacy and security requirements. Not all medical information is protected under HIPAA; only PHI is. Imagine, for a moment, if any and all medical information were protected by HIPAA. The everyday implications would be staggering. Any individual communicating to another individual about medical information would become subject to the law’s regulations. Neighbors talking over the fence about their health, would theoretically be required to be HIPAA-compliant. A law regarding such total compliance would be impossible to administer and impossible to enforce.
Therefore, the authors of HIPAA decided to place only certain medical information – information that can identify a specific person that is created, stored, transmitted or maintained, by specific entities, within its regulatory ambit.
To summarize, if your business does not create, receive, store or maintain PHI or ePHI, your business is not subject to HIPAA. No PHI=no need to conduct further analysis. If your business does create, receive, store, or maintain protectable PHI or ePHI, the next step in the analysis is presented below:
Step 2: Is your Business a Covered Entity or business associate, Performing Covered Transactions?
HIPAA regulates two kinds of entities that create, maintain, receive, or transmit PHI. These entities include covered entities and business associates.
The first of these entities are known as covered entities. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards.
These transactions are known as “covered transactions.” HIPAA-covered transactions are transactions involving: “…the transmission of information between two parties to carry out financial or administrative activities related to health care.”
HIPAA-covered transactions include the following types of information transmissions: (1) Health claims or equivalent encounter information. (2) Health care payment and remittance advice. (3) Coordination of benefits. (4) Health care claim status. (5) Enrollment and disenrollment in a health plan. (6) Eligibility for a health plan. (7) Health plan premium payments. (8) Referral certification and authorization. (9) First report of injury. (10) Health claims attachments.
The second type of entity that creates, stores, maintains, or receives, PHI is known as a business associate. these entities are known as business associates. Business associates are persons or entities who, on behalf of a covered entity, perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.
Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity. A member of a covered entity’s workforce is not one of its business associates. A covered entity may be a business associate of another covered entity.
If your business is neither a business associate nor a covered entity, then, generally, your business is not subject to HIPAA. If your business is a business associate or covered entity, AND creates, receives, stores, or transmits protectable PHI with respect to a covered transaction, your business is subject to HIPAA.