HIPAA or the Health Insurance Portability and Accountability Act applies to a wide range of entities involved in healthcare, including healthcare providers, health plans, and healthcare clearinghouses. If you work in the healthcare industry or handle sensitive patient information, it’s essential to understand to who HIPAA applies and what your responsibilities are under the law. In this blog post, we’ll take a closer look at who does HIPAA apply to and what you need to know to ensure compliance with the law.
Introduction To The HIPAA
Does HIPAA Apply To Everybody?
While HIPAA applies to a wide range of healthcare entities, there are some exemptions to the law. Here are some examples of entities to whom HIPAA does not apply:
- Life insurance companies: HIPAA does not apply to life insurance companies or their agents, as it does not count as a healthcare entity.
- Employers: HIPAA generally does not apply to employers, except in certain limited circumstances, such as when an employer provides healthcare services to its employees.
- Workers’ compensation: HIPAA does not apply to workers’ compensation programs or their administrators, as they do also not come from healthcare entities.
- Schools: HIPAA generally does not apply to schools, except in certain limited circumstances, such as when a school provides healthcare services to its students.
Overall, it’s important to note that even if an entity is not covered by HIPAA, it may still be subject to other federal and state privacy and security laws that apply to the handling of personal information.
Who Does HIPAA Apply To?
HIPAA, or the Health Insurance Portability and Accountability Act, applies to a wide range of healthcare entities that handle protected health information (PHI). Here are some examples of who HIPAA applies:
Covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards. This includes doctors, hospitals, clinics, nursing homes, health insurance companies, and other healthcare providers. Covered entities must comply with the Privacy Rule, Security Rule, and Breach Notification Rule, and must protect the privacy and security of patients’ protected health information.
Business associates are any person or entity that performs certain functions or activities involving protected health information on behalf of a covered entity. This includes third-party administrators, billing companies, and other service providers. Business associates must enter into a written agreement with the covered entity, called a Business Associate Agreement, that outlines the specific safeguards the business associate will implement to protect the privacy and security of the PHI they handle.
Subcontractors are any person or entity that performs services on behalf of a business associate that involves the use or disclosure of protected health information. They must also enter into a written agreement with the business associate that outlines the specific safeguards they will implement to protect the privacy and security of the PHI they handle.
Hybrid entities are organizations that perform both covered and non-covered functions. They are only subject to HIPAA to the extent that they conduct covered functions. For example, a university that has a healthcare clinic would only be subject to HIPAA for the clinic portion of the organization, and not for other non-covered functions such as the academic departments.
Researchers are individuals or entities that conduct research involving protected health information. They are subject to HIPAA if they are conducting research that involves PHI that is obtained from a covered entity or business associate. Researchers must comply with the HIPAA Privacy Rule, which requires them to obtain authorization from individuals before using or disclosing their PHI for research purposes or to obtain a waiver of authorization from an Institutional Review Board (IRB).
Overall, HIPAA applies to any entity that handles PHI in connection with certain transactions, or that provides services to entities that handle PHI.
Requirements To Get HIPAA-Compliant
To become HIPAA-compliant, covered entities, business associates, and subcontractors must meet certain requirements to protect the privacy and security of protected health information (PHI). Here are some of the key requirements for HIPAA compliance:
- Privacy Rule: The HIPAA Privacy Rule requires covered entities to implement policies and procedures to protect the privacy of patients’ PHI, including how the information is used and disclosed. Covered entities must also provide patients with a notice of their privacy practices, obtain written consent for certain uses and disclosures of PHI, and give patients the right to access and amend their PHI.
- Security Rule: The HIPAA Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). This includes implementing access controls, conducting risk assessments, and developing an incident response plan.
- Breach Notification Rule: The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Secretary of HHS, and, in some cases, the media, if there is a breach of unsecured PHI.
- Training: Covered entities and their business associates must provide HIPAA training to their employees and workforce members who have access to PHI. The training must cover the policies and procedures for protecting PHI and the consequences of non-compliance.
- Business Associate Agreements: Covered entities must have written agreements in place with their business associates that outline the business associate’s responsibilities for protecting PHI.
- Risk Assessments: Finally, covered entities and business associates must conduct regular risk assessments to identify potential vulnerabilities in their systems and processes for protecting PHI.
Overall, becoming HIPAA-compliant requires a comprehensive approach to protecting PHI. Covered entities and their business associates must develop and implement policies and procedures, train their employees, and regularly assess their systems for potential risks.
In conclusion, HIPAA applies to various entities that handle protected health information (PHI), including covered entities, business associates, subcontractors, hybrid entities, and researchers. Becoming HIPAA-compliant requires adherence to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as well as regular risk assessments, employee training, and the development of business associate agreements. By implementing these requirements, entities can ensure the protection of patient privacy and maintain compliance with HIPAA regulations. If you are looking to implement any of the Infosec compliance frameworks such as SOC 2 compliance, HIPAA, ISO 27001, and GDPR compliance, Impanix can help. Book a Free consultation call with our experts or email us at [email protected] for inquiries.