You need only look to social media to see claims that a post was a “HIPAA violation,” but saying so doesn’t make it so. You can’t break the speed limit in a city if you’re not driving in that city.
Violations of any law can only occur if it applies to the situation.
Before determining if a HIPAA violation has occurred, we need to understand who is bound by HIPAA regulations.
The Basics of Who is Bound by HIPAA
HIPAA rules and regulations define two groups to which the law applies. The first is covered entities – healthcare providers, health insurance companies, and healthcare clearinghouses. These organizations were the primary focus when the law was initially signed in 1996.
All three groups perform activities essential to protected health information (PHI) as defined by the law. PHI is the axis upon which the whole law rotates.
Healthcare providers create and use PHI during the diagnosis and treatment of patients. Healthcare clearinghouses serve as middlemen between insurance companies and providers by processing or facilitating the processing of nonstandard data elements of health information into standard data elements.
Insurance companies use healthcare clearinghouse data to determine the eligibility of healthcare services performed by covered entities and to make payments for services deemed eligible.
The second group that is required to follow HIPAA guidelines is business associates. According to the law, any business performing services for a covered entity that requires them to take possession of PHI is considered a business associate.
In 2013, the HIPAA Omnibus Rule added requirements for healthcare providers to update their business associate agreements, attain assurances from Business Associates that they comply with the HIPAA Security Rule, and update their Notice of Privacy Practices.