The HIPAA guidelines for medical offices are no different than for any other healthcare facility that qualifies as a HIPAA covered entity or business associate. However, medical offices may have fewer “applicable” HIPAA guidelines to comply with than larger healthcare facilities.
Whenever HIPAA covered entities, business associates, and subcontractors of business associates create, receive, maintain, or transmit Protected Health Information (PHI), they are required to comply with all “applicable administrative simplification provisions” in order to be HIPAA compliant.
The administrative simplification provisions are the regulations, standards, and implementation specifications published in 45 CFR Parts 160,162, and 164. These Parts include (but are not limited to) the HIPAA General Rules, the General Provisions for Transactions, and the Privacy, Security, and Breach Notification Rules.
The HIPAA Guidelines for Medical Offices
Covered entities, business associates and subcontractors do not have to comply with every regulation, standard, and implementation specification – only those that are applicable to their activities. In the context of the HIPAA guidelines for medical offices, this may mean:
- If authorization, claims, and billing service are outsourced, not having to comply with the provisions of Part 162
- If the medical office is located within a secure complex, not having to compile a physical facility security plan
- If the medical office has fewer than 500 patients, not having to comply with §164.406 of the Breach Notification Rule
- If the facility does not maintain an inpatient directory, not having to comply with §164.510(a) of the Privacy Rule
- If the facility does not share PHI for research, not having to comply with §164.514(a), (b), and (c) of the Privacy Rule.
Additionally, there are many regulations, standards, and implementation specifications that apply exclusively to health plans and/or health care clearinghouses and that would not be included in HIPAA guidelines for medical offices.
However, it is necessary to review Parts 160, 162, and 164 of the Administration Simplification Regulations to determine which regulations, standards, and implementation specifications apply – as these can vary depending on the services provided to patients, interactions with other organizations required to comply with HIPAA, or the services provided to a covered entity as a business associate.
When Might a Medical Office be a Business Associate?
In most cases, healthcare providers can disclose PHI with other healthcare providers without a patient’s authorization when both are covered entities and both have a direct treatment relationship with the patient (Part 2 SUD records and some mental health records being common exceptions).
When a medical office does not qualify as a HIPAA covered entity because (for example) it either provides a service not covered by §1395x(s) of the Public Health and Welfare Code, because it bills patients directly, or because it does not conduct Part 162 transactions electronically, any services provided to or on behalf of a covered entity are provided as a business associate.
In such circumstances, the HIPAA guidelines for medical offices are that the medical office must comply with all applicable provisions of the Security and Breach Notification Rule, and any provisions stipulated in the Business Associate Agreement between the medical office and the covered entity the service is being provided for or on behalf of.
This will usually mean the medical office has to comply with certain Privacy Rule standards – but not all. For example, when working as a business associate for a covered entity, medical offices do not have to provide a Notice of Privacy Practices and may not be required to comply with the patients’ rights provisions depending on how PHI is maintained.
Who Coordinates and Oversees the Various Aspects of HIPAA Compliance in a Medical Office?
Depending on the status of the medical office (i.e. a covered entity or business associate), the persons responsible for coordinating and overseeing the various aspects of HIPAA compliance in a medical office are the HIPAA Privacy Officer and the HIPAA Security Officer.
In smaller medical offices, it is more likely that one person would be assigned both roles; or that a third party consultant coordinates the HIPAA guidelines for medical offices and – once they are established – a person assigned the roles of HIPAA Privacy and Security Officer oversees them.
Medical offices unsure about whether a third party consultant would be beneficial to their compliance efforts are invited to review our HIPAA Compliance Guide. The Guide will help determine whether there are elements of compliance that the medical office requires assistance with.