Nearly every American knows about the Health Insurance Portability and Accountability Act (HIPAA). But awareness of HIPAA is different from knowledge. In fact, HIPAA may be one of the most misunderstood regulations among the general public.
You need only look to social media to see claims that a post was a “HIPAA violation,” but saying so doesn’t make it so. You can’t break the speed limit in a city if you’re not driving in that city.
Violations of any law can only occur if it applies to the situation.
Before determining if a HIPAA violation has occurred, we need to understand who is bound by HIPAA regulations.
The Basics of Who is Bound by HIPAA
HIPAA rules and regulations define two groups to which the law applies. The first is covered entities – healthcare providers, health insurance companies, and healthcare clearinghouses. These organizations were the primary focus when the law was initially signed in 1996.
All three groups perform activities essential to protected health information (PHI) as defined by the law. PHI is the axis upon which the whole law rotates.
Healthcare providers create and use PHI during the diagnosis and treatment of patients. Healthcare clearinghouses serve as middlemen between insurance companies and providers by processing or facilitating the processing of nonstandard data elements of health information into standard data elements.
Insurance companies use healthcare clearinghouse data to determine the eligibility of healthcare services performed by covered entities and to make payments for services deemed eligible.
The second group that is required to follow HIPAA guidelines is business associates. According to the law, any business performing services for a covered entity that requires them to take possession of PHI is considered a business associate.
In 2013, the HIPAA Omnibus Rule added requirements for healthcare providers to update their business associate agreements, attain assurances from Business Associates that they comply with the HIPAA Security Rule, and update their Notice of Privacy Practices.
Who is Not Required to Follow HIPAA?
The easy answer to this question is anyone who is not a covered entity or business associate as defined by HIPAA. Many organizations possess data that would be considered to be PHI under HIPAA, but because they are not covered entities, they are not required to achieve HIPAA Compliance. Some examples include:
- Life insurers
- Employers
- Workers compensation carriers
- Most schools and school districts
- Many state agencies, like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
Organizations not bound by HIPAA that suffer data breaches resulting in the release of a person’s health information may be liable under state or local privacy laws and could also face civil lawsuits for damages from affected individuals.
HIPAA is only enforced against covered entities and the vendors serving them with access to PHI. However, a healthcare provider that does not send claims or billing for any covered services electronically is not considered a covered entity under HIPAA.
What to Do If You’re Required to Follow HIPAA
It can be overwhelming if you or your organization are required to adhere to HIPAA standards. The law is written vaguely intentionally to apply to every potential organization regardless of size or location.
Compliancy Group is ready to help you become compliant in a way that respects your time and shows you how every step in the process fits together to build complete HIPAA compliance. Contact one of our experts and see how simple HIPAA compliance can be.
