The answer to the question who does HIPAA apply to is not always as straightforward as it is presented to be. There are multiple scenarios in which organizations may be partial entities or hybrid entities, or subject to more stringent health data privacy rules than HIPAA even though they are not Covered Entities under HIPAA.
Most sources attempting to tackle the question who does HIPAA apply to tend to rely on the applicability clause of the Administration Simplification General Provisions for their answer (45 CFR § 160.102). This clause, and other applicability clauses in HIPAA, state:
Except as otherwise provided, the standards, requirements, and implementation specifications […] apply to the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a covered transaction.
In addition to the three types of Covered Entity, the applicability clause states, “where provided, the standards, requirements, and implementation specifications […] apply to a business associate.”
While this looks like a straightforward answer to the question who does HIPAA apply to, anybody familiar with HIPAA will know that very little is straightforward when it comes to dissecting the text of the Administration Simplification provisions. For example, in just this small section of text alone there are three phrases that add uncertainty to the idea of a “straightforward answer”:
- “Except as otherwise provided”,
- “In connection with a covered transaction”, and
- “Where provided”.
Who Does HIPAA Apply to “Except as Otherwise Provided”?
When the HIPAA Privacy Rule was published, it created a federal floor of privacy protections that pre-empts state laws except for when a state law:
- Provides greater privacy protections and/or better patient rights,
- Provides for the reporting of an event for the purposes of public health investigation, or
- Requires health plans to include PHI in reports such as management and financial audits.
In addition to these “except as otherwise provided” exceptions, states, Covered Entities, and individuals can apply to the Department of Health and Human Services (HHS) for an exemption to Privacy Rule compliance if the exemption meets certain criteria – for example to better prevent fraud and abuse related to the provision of or payment for health care.
There are multiple other examples in which Covered Entities may be exempt from complying with HIPAA. For example, the Military Command Exception allows Armed Forces medical personnel to disclose PHI without authorization in certain circumstances, while most school medical facilities that meet the criteria for being a Covered Entity are exempt from complying with HIPAA due to student medical records being classified as “educational records” under FERPA.
What Does “In Connection with a Covered Transaction” Mean?
While all health plans and health care clearinghouses are HIPAA Covered Entities regardless of the nature of their operations, healthcare providers are only considered to HIPAA Covered Entities if they exchange information electronically with another party for a transaction covered by the HIPAA Transactions and Code Sets Rule (45 CFR § Part 162 Subparts K – S). These transactions include:
- Payment and remittance advice
- Claims status
- Coordination of benefits
- Claims and encounter information
- Enrollment and disenrollment
- Referrals and authorizations
- Premium payment
In most cases, healthcare providers will be Covered Entities if they file electronically with Medicare. However, some private or small medical practices – or rural medical services – might not qualify as Covered Entities. If your organization is in any doubt whether it qualifies as a Covered Entity, HHS has produced an interactive Decision Tool with helpful explanations at the end of the document.
How Does HIPAA Apply to Business Associates, Partial Entities, and Hybrid Entities?
In addition to applying to Covered Entities, HIPAA applies to Business Associates, Partial Entities, and Hybrid Entities – although not in the same ways. With regards to Business Associates, HHS has published a list of HIPAA violations for which the Office for Civil Rights is authorized to take enforcement action against Business Associates. This list shows Business Associates are required to comply with elements of the Privacy and Breach Notification Rules as well as the Security Rule.
Partial Entities are organizations that conduct covered transactions internally between separate legal entities. An example of a Partial Entity is an employer who administers a self-insured health plan. In this example, the employer and the health plan are separate legal entities and HIPAA applies to PHI maintained by the health plan which is shared electronically with the employer for administration purposes. Note: The employer cannot use the PHI for organizational operations.
Hybrid Entities are single legal entities whose business activities include both covered transactions and non-covered transactions. An example of a Hybrid Entity is a medical school that provides health care facilities for both students and non-students. As mentioned previously, student medical records are covered by FERPA, but the component of the school´s activities that provide health care facilities for non-students is covered by HIPAA and this component must comply with all the HIPAA Rules.
When Health Data Privacy Rules Apply to Non-Covered Entities
It was mentioned in the introduction to this article that there are scenarios in which organizations can be subject to more stringent health data privacy rules than HIPAA even though they are not Covered Entities (or Business Associates, Partial Entities, or Hybrid Entities) under HIPAA. An example of such a scenario relates to the Texas Medical Records Privacy Act that was updated in 2011 by HB 300 to expand the definition of a Covered Entity.
Since 2011, any person or organization that “assembles, collects, analyzes, uses, evaluates, stores, or transmits [the] Protected Health Information [of a Texas resident]” is a Covered Entity under the Texas Medical Records Privacy Act. Consequently, researchers, accountants, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI is required to comply with health data privacy rules – even if they are located outside of Texas.
The Texas Medical Records Privacy Act preempts HIPAA as it provides greater privacy protections and better patient rights (one of the exceptions discussed earlier). Confusingly, a Business Associate under HIPAA that is located outside of Texas could be a Covered Entity under the Medical Records Privacy Act if the Business Associate processes PHI provided to it by a Covered Entity (also outside of Texas) that includes PHI relating to a Texas citizen. HIPAA is rarely straightforward!