A lack of knowledge about who is covered by HIPAA can lead to misconceptions about when it is permissible to disclose health information and who to. Additionally, a lack of knowledge about what is covered by HIPAA can lead to misconceptions about how health information can be used.
During the COVID-19 pandemic, the lack of knowledge about who is covered by HIPAA was evident. Newspaper articles questioned whether employers could ask employees about their vaccination status without violating HIPAA (see this article for the answer); and, in the highest legislative chamber in the country, a US Senator declined to reveal her vaccination status – claiming that even being asked was a violation of her HIPAA rights.
So, Who is Covered by HIPAA?
The Applicability clause of the HIPAA General Provisions (§160.102) explains who is covered by HIPAA. The clause states health plans, health care clearinghouses, and health care providers that conduct electronic transactions for which HHS has developed standards are covered by HIPAA. Additionally – and “where provided” – business associates that provide a service for or on behalf of an entity covered by HIPAA are also covered by HIPAA. But there are plenty of exceptions.
Health plans that offer insurance coverage under which the benefits for medical care are secondary to incidental or other insurance benefits (i.e., automobile insurance, liability insurance, etc.) are exempt, as are health plans providing disability income assurance, workers’ compensation insurance, or coverage for on-site medical clinics. Consequently, if you share personal health information with your automobile insurance firm, the information is not protected by HIPAA.
Healthcare providers that do not conduct electronic transactions for which HHS has developed standards are exempt from being covered by HIPAA – for example, therapists that bill clients directly or conduct transactions by paper-to-paper fax – and schools that provide health services to students are exempt from being covered by HIPAA because students’ medical records are considered to be part of their educational records under the Family Educational Rights and Privacy Act.
With regards to Business Associates, individuals and organizations that qualify as Business Associates are required to comply with the HIPAA Security Rule and any other standard of the Administrative Simplification Regulations applicable to the service(s) being provided. Therefore, many are only partially covered by HIPAA – including health care providers that do not qualify as covered entities, but who provide a service on behalf of a covered entity as a business associate.
What is Covered by HIPAA?
In addition to who is covered by HIPAA, people also have misconceptions about what is covered by HIPAA. This is partially due to online lists of “HIPAA Identifiers” which incorrectly imply that all the listed identifiers are protected by HIPAA in all circumstances. This is not the case. The only information guaranteed to be “protected” by HIPAA is information relating to an individual’s past, current, or future health condition, treatment for the condition, and payment for the treatment.
This information is maintained in what are referred to as “designated record sets”. There is no limit to how many designated record sets each covered entity can maintain, and it is also possible for a designated record set to consist of a single item. For example, if a pediatrician maintains a baby wall displaying pictures of infants the pediatrician has delivered, each picture is a designated record set because it contains identifying information relating to an individual’s past treatment.
The reason some sources incorrectly imply “HIPAA Identifiers” are protected is that any information maintained in the same designated record set as “Protected Health Information” assumes the same protections as the health information maintained in the same set. Therefore, a car license number maintained in a designated record set is protected. A car license number maintained in a database that contains no other Protected Health Information is not protected by HIPAA.
A further reason people may have misconceptions about what is covered by HIPAA is a lack of transparency in providers’ Notices of Privacy Practices and authorization forms. A lot of healthcare documentation allows covered entities to disclose Protected Health Information to third parties that do not qualify as business associates covered by HIPAA or who legally share the information with data brokers. In such cases, the protection of health information is not guaranteed.
The Consequences of Not Knowing Who or What is Covered by HIPAA
The consequences of not knowing who or what is covered by HIPAA fall into two categories – unjustified complaints and operational inefficiencies. Unjustified complaints are a huge administrative burden on healthcare organizations and regulators alike. According to the HHS’ Enforcement Highlights web page, the department has received more than 335,000 complaints since the effective date of the Privacy Rule and more than 230,000 of these were unjustified.
The leading reason for complaints being rejected by HHS is that the complaint is made against an individual or organization not covered by HIPAA. Another common reason for complaints being rejected is that a covered individual or organization has not violated any HIPAA Rules because it has either disclosed Protected Health Information in circumstances permitted by the Privacy Rule or it has disclosed information that is not protected by the Privacy Rule.
Although no records are kept of unjustified complaints made directly to individuals and organizations covered by HIPAA, it is not difficult to understand how unjustified complaints can lead to operational inefficiencies. For example, if a healthcare organization enforces more stringent policies than required on how Protected Health Information is used and disclosed, it could restrict access to information required for patient transportation or future care coordination.
Consequently, it is important that individuals and organizations in the health insurance and health care industries understand who is covered by HIPAA and what is covered by HIPAA, and communicate this information to plan members and patients. If you – or your organization – is unsure about who or what is covered by HIPAA, it could result in unintentional HIPAA violations or operational inefficiencies, and you are advised to seek professional compliance advice.