The Health Insurance Portability and Accountability Act (HIPAA) is applicable to healthcare organizations and their business associates. But what are covered entities are under HIPAA, and what companies may be considered as business associates?
Covered Entities Under HIPAA
Covered entities under HIPAA include persons or entities that transmit protected health information (PHI) electronically for transactions that are covered by the standards implemented by the Department of Health and Human Services (see 45 CFR 160.103).
Transactions include transmitting healthcare claims, payment and remittance advice, medical data, information for the coordination of health benefits, enrollment and disenrollment, eligibility assessments, medical electronic fund transfers, and referral certification and authorization.
Health plans, healthcare providers, and healthcare clearinghouses are covered entities under HIPAA. Health plans consist of health insurance firms, health maintenance companies, government services that pay for medical care like Medicare, and military and veterans’ health programs.
Healthcare clearinghouses are institutions that process nonstandard health data and convert information into types that conform to the standards laid out in the HIPAA administrative simplification rules.
Healthcare providers consist of hospitals, clinics, physicians, psychologists, chiropractors, dentists, nursing homes, home health agencies, pharmacies, and other providers of medical care that transfer health data digitally.
HIPAA likewise is applicable to business associates of HIPAA-covered entities, including their subcontractors.
What is a Business Associate?
A business associate may be a person or firm that offers services to a HIPAA-covered entity which could access, retain, use, or transfer PHI. Business associates of HIPAA covered entities include third-party administrators, billing firms, transcriptionists, cloud service providers, data storage companies (both digital and physical records), EHR service companies, lawyers, CPA firms, pharmacy benefits managers, collections agencies, claims processors and medical device manufacturers.
Before a business associate can be given PHI or systems access, they should sign a business associate agreement (BAA) with the covered entity. A BAA is an agreement in which the duties of the business associate regarding HIPAA and PHI are detailed.
Fines for HIPAA Rules Violations
Non-compliance with any part of HIPAA could result in a financial penalty. The fine for a violation of HIPAA can be up to $50,000 per case up to a maximum of $1.5 million for every violation category in a year.
If HIPAA violations were permitted to continue for many years, or if several violations of HIPAA Rules are found, multi-million-dollar penalties are possible. Criminal charges are also possible for some classes of HIPAA violations.