Who is covered by HIPAA?
Though HIPAA was established to protect health data, it is not protected in every situation. Only some organizations that handle health data are required to be HIPAA compliant. We will provide an overview of those organizations here.
The organizations that are required to be HIPAA compliant are termed “HIPAA Covered Entities” (CEs). Though a definition of a CE was absent in the original Health Insurance Portability and Accountability Act in 1996, one was subsequently added when the Privacy Rule was enacted in 2002. Any organization that meets this definition must comply with HIPAA and enact the necessary safeguards to protect patient data (Protected Health Information, PHI).
According to the Privacy Rule, and the Department for Health and Human Services, HIPAA Covered Entities are one of the following:
- Healthcare providers (such as doctors, nursing homes, and pharmacists), so long as they use electronic PHI in a HIPAA-covered transaction
- Health plans (such as Health Maintenance Organizations, dental and vision insurance plans, and government health plans like Medicaid)
- Healthcare Clearinghouses.
Healthcare Clearinghouses typically receive and process claims from insurance providers, checking them for errors or converting them from non-standard into standard formats.
Even though the definition of CE only includes electronic protected health information, all PHI, irrespective of format, is actually protected under the Privacy Rule.
However, it is not only the entities listed above that are covered by HIPAA. Often, these entities will engage a third-party vendor to carry out specific tasks that use PHI. This may include storing PHI, collecting data from patients, or even transmitting PHI between CEs.
As these third parties will be handling PHI, they must also be HIPAA compliant. Before handing over, or granting access, to any PHI CEs must ensure that they enter into a Business Associate Agreement with the third party (rendering them Business Associates). These BAAs will outline the responsibilities of the BA with regard to the use and security of any PHI that they have access to.
If the BA, in turn, uses another third party’s services, they must also enter into a BAA with that party.
However, as is evident from the list above, not all parties that may have access to sensitive information are covered by HIPAA. Employers, for example, who may have access to information including Social Security Numbers or addresses, are not covered by HIPAA. Manufacturers and operators or smart devices that track a customer’s sleep are also not required to comply with HIPAA. This is largely because the data is not being used in a HIPAA-covered transaction (such as payments or referrals for treatment).
Any organization, then, that meets the definition of Covered Entity – and their Business Associates – are required to be HIPAA compliant. HIPAA non-compliance can attract hefty fines, so CEs should ensure that all of their employees have adequate HIPAA training.