The Health Insurance Portability and Accountability Act (HIPAA) Rules aim to keep protected health information secure and define its allowable uses and disclosures. Which organizations must follow the HIPAA Rules? HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health data in relation with transactions for which the Department of Health and Human Services has set standards.
Healthcare providers include hospitals, nursing homes, health clinics, pharmacies, doctors, dentists, psychologists and chiropractors. Health plans include health insurance providers, HMO’s, company health plans, Medicare, Medicaid and other government health care programs and veteran’s health programs. Self-insured companies that give their employees health coverage must also comply with HIPAA Rules. Healthcare clearinghouses are entities that provide healthcare organizations the services of transforming nonstandard health information into a different format.
All of the above mentioned entities must comply with the HIPAA Rules (see 45 CFR 160.103). Otherwise, there will be severe financial penalties. Business associates of HIPAA covered entities need to follow the HIPAA rules also or they will be penalized.
When an individual or entity performs functions that use or disclose PHI for a HIPAA-covered entity, that entity is considered a HIPAA business associate. Before providing the service, the business associate must sign a contract or business associate agreement (BAA) (See 45 CFR 164.504(e)). It is stipulated in the contract that the business associate:
- Agrees to implement security controls to ensure the confidentiality, integrity and availability of PHI
- Agrees not to use PHI for any purpose that is not the intended reason for disclosure
- Agrees not to disclose PHI to anyone or any entity
- Agrees to provide anyone who requests for copies of their PHI
- Agrees to notify the covered entity in case a PHI breach occurs
Business associates include companies provide services such as billing, data analysis, administrative help, claims processing and payment collection. Accountants, lawyers, consultants, data storage and management firms are also business associates.
Subcontractors of business associates that are required to view or use PHI to do their duties must also follow the HIPAA Rules. In this case, there must be a signed business associate agreement between the business associate and the subcontractor.
Researchers employed by covered entities are not considered business associates. Covered entities can disclose PHI to researchers if authorized by the patients for research purposes. A BAA is not required in this case. But the covered entity must have a data use agreement with the researcher to ensure HIPAA rules are followed.
Disclaimer: Not all healthcare organizations need to follow HIPAA Rules. HIPAA applies only to those that transmit PHI electronically for transactions that require HHS standards.