The answer to the question who does HIPAA apply to is not always as straightforward as it is presented to be. There are multiple scenarios in which organizations may be partial entities or hybrid entities, or subject to more stringent health data privacy rules than HIPAA even though they are not Covered Entities under HIPAA.
Most sources attempting to tackle the question who does HIPAA apply to tend to rely on the applicability clause of the Administration Simplification General Provisions for their answer (45 CFR § 160.102). This clause, and other applicability clauses in HIPAA, state:
Except as otherwise provided, the standards, requirements, and implementation specifications […] apply to the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a covered transaction.
In addition to the three types of Covered Entity, the applicability clause states, “where provided, the standards, requirements, and implementation specifications […] apply to a business associate.”
While this looks like a straightforward answer to the question who does HIPAA apply to, anybody familiar with HIPAA will know that very little is straightforward when it comes to dissecting the text of the Administration Simplification provisions. For example, in just this small section of text alone there are three phrases that add uncertainty to the idea of a “straightforward answer”:
- “Except as otherwise provided”,
- “In connection with a covered transaction”, and
- “Where provided”.
Who Does HIPAA Apply to “Except as Otherwise Provided”?
When the HIPAA Privacy Rule was published, it created a federal floor of privacy protections that pre-empts state laws except for when a state law:
- Provides greater privacy protections and/or better patient rights,
- Provides for the reporting of an event for the purposes of public health investigation, or
- Requires health plans to include PHI in reports such as management and financial audits.
In addition to these “except as otherwise provided” exceptions, states, Covered Entities, and individuals can apply to the Department of Health and Human Services (HHS) for an exemption to Privacy Rule compliance if the exemption meets certain criteria – for example to better prevent fraud and abuse related to the provision of or payment for health care.
There are multiple other examples in which Covered Entities may be exempt from complying with HIPAA. For example, the Military Command Exception allows Armed Forces medical personnel to disclose PHI without authorization in certain circumstances, while most school medical facilities that meet the criteria for being a Covered Entity are exempt from complying with HIPAA due to student medical records being classified as “educational records” under FERPA.
What Does “In Connection with a Covered Transaction” Mean?
While all health plans and health care clearinghouses are HIPAA Covered Entities regardless of the nature of their operations, healthcare providers are only considered to HIPAA Covered Entities if they exchange information electronically with another party for a transaction covered by the HIPAA Transactions and Code Sets Rule (45 CFR § Part 162 Subparts K – S). These transactions include:
- Payment and remittance advice
- Claims status
- Coordination of benefits
- Claims and encounter information
- Enrollment and disenrollment
- Referrals and authorizations
- Premium payment
In most cases, healthcare providers will be Covered Entities if they file electronically with Medicare. However, some private or small medical practices – particularly those that bill patients directly – might not qualify as Covered Entities. If your organization is in any doubt whether it qualifies as a Covered Entity, HHS has produced an interactive Decision Tool with helpful explanations at the end of the document.
How Does HIPAA Apply to Business Associates, Partial Entities, and Hybrid Entities?
In addition to applying to Covered Entities, HIPAA applies to Business Associates, Partial Entities, and Hybrid Entities – although not in the same ways. With regards to Business Associates, HHS has published a list of HIPAA violations for which the Office for Civil Rights is authorized to take enforcement action against Business Associates. This list shows Business Associates are required to comply with elements of the Privacy and Breach Notification Rules as well as the Security Rule.
Partial Entities are organizations that conduct covered transactions internally between separate legal entities. An example of a Partial Entity is an employer who administers a self-insured health plan. In this example, the employer and the health plan are separate legal entities and HIPAA applies to PHI maintained by the health plan which is shared electronically with the employer for administration purposes. Note: The employer cannot use the PHI for organizational operations.
Hybrid Entities are single legal entities whose business activities include both covered transactions and non-covered transactions. An example of a Hybrid Entity is a medical school that provides health care facilities for both students and non-students. As mentioned previously, student medical records are covered by FERPA, but the component of the school´s activities that provide health care facilities for non-students is covered by HIPAA and this component must comply with all the HIPAA Rules.
What Companies Does HIPAA Apply To?
There are three types of companies that HIPAA applies to – either completely or partially. The first type is a HIPAA Covered Entity. This type of company is usually a health plan, health care clearinghouse, or healthcare organization provided it is not excepted – for example, because it bills patients directly. These types of companies have to comply with all the HIPAA Rules.
The second type of company is a Business Associate. This type of company provides a service for or on behalf of a Covered Entity and has to comply with the Security Rule and Breach Notification Rule by law. The company may also have to comply with General Provision and Privacy Rule standards depending on the nature of service provided and the terms of a Business Associate Agreement.
The third type of company is one that develops, sells, or provides services for Personal Health Records when data is created, received, maintained, or transmitted to or from more than a single device. This type of company has to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act, and compliance with this requirement is policed by the FTC.
When HIPAA Does Not Apply
There are many circumstances when HIPAA does not apply – the most common being when an employer collects health information about an employee but does not use it in connection with a covered transaction. Other circumstances can include when an individual discloses their vaccination status to an airline or applies to a local authority for a disabled parking permit.
Additionally, although HIPAA applies to most instances when healthcare is paid for by an insurance provider, HIPAA does not apply in all instances. For example, if payment for healthcare is secondary to a non-health related insurance policy (for example, auto insurance that pays medical expenses for an accident), the healthcare provider, insurer, and transactions are not covered by HIPAA.
Financial institutions are also not covered by HIPAA – even when a transaction infers personal medical information about an individual that would be considered PHI in any other circumstances. This exclusion also applies to any third party involved in “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution”.
When Health Data Privacy Rules Apply to Non-Covered Entities
It was mentioned in the introduction to this article that there are scenarios in which organizations can be subject to more stringent health data privacy rules than HIPAA even though they are not Covered Entities (or Business Associates, Partial Entities, or Hybrid Entities) under HIPAA. An example of such a scenario relates to the Texas Medical Records Privacy Act that was updated in 2011 by HB 300 to expand the definition of a Covered Entity.
Since 2011, any person or organization that “assembles, collects, analyzes, uses, evaluates, stores, or transmits [the] Protected Health Information [of a Texas resident]” is a Covered Entity under the Texas Medical Records Privacy Act. Consequently, researchers, accountants, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI is required to comply with health data privacy rules – even if they are located outside of Texas.
The Texas Medical Records Privacy Act preempts HIPAA as it provides greater privacy protections and better patient rights (one of the exceptions discussed earlier). Confusingly, a Business Associate under HIPAA that is located outside of Texas could be a Covered Entity under the Medical Records Privacy Act if the Business Associate processes PHI provided to it by a Covered Entity (also outside of Texas) that includes PHI relating to a Texas citizen. HIPAA is rarely straightforward!