The HIPAA Guide - Celebrating Over 15 Years Online

Who is Required to Follow HIPAA Requirements?

March 7, 2024HIPAA Advice Articles0

Who is Required to Follow HIPAA Requirements? HIPAAGuide.net

Those required to follow HIPAA requirements include most healthcare providers, most health plans, and health care clearing houses (collectively known as covered entities), business associates, and covered entities’ and business associates’ workforces. Some vendors of personal health devices are also required to follow HIPAA requirements.

One of the areas of HIPAA that leads to confusion about HIPAA compliance is who is required to follow HIPAA requirements. This is because not all healthcare providers and health insurance plans qualify as covered entities, and not all individuals or organizations that provide a service to or on behalf of a covered entity qualify as business associates.

Which Healthcare Providers are Required to Comply with HIPAA?

With regards to healthcare providers, only those who transmit health information in electronic form (*) in connection with a transaction for which HHS has developed standards are required to follow HIPAA requirements. Healthcare providers that bill patients directly, or who do not use electronic transactions when billing health plans or Medicare, are not required to follow the requirements.

The exception to these criteria is when a healthcare provider that does not qualify as a HIPAA covered entity provides a service for or on behalf of a covered entity as a business associate. In this scenario, the non-qualifying healthcare provider would be required to follow HIPAA requirements in respect of the service being provided for or on behalf of the covered entity.

(*) Paper-to-paper non-digital faxes and telephone communications over a Public Switched Telephone Network – including voice messages left on recording machines – do not qualify as electronic transactions when the health information did not exist in electronic form prior to the transaction.

Are all Health Plans Required to Follow HIPAA Requirements?

Whether or not a health plan is required to follow HIPAA requirements depends on the nature of health benefits provided and whether the provision of health benefits is the plan’s primary function. There is a long list of excluded health benefits (see 42 USC 300gg-91(c)) including:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • Dental or vision insurance when offered separately.
  • Coverage for a specified disease or illness.
  • Long-term care, nursing home care, and home health care.
  • Workers’ compensation or similar insurance.
  • Credit only insurance.
  • Accident or disability only insurance.
  • Automobile medical payment insurance.

Insurance companies that offer health benefits secondary to (for example) public liability insurance or automobile liability insurance do not qualify as covered entities and are not required to follow HIPAA requirements. In addition, insurance companies that sell Medicare supplementary insurance (Medigap) as a secondary activity do not qualify as covered entities.

What HIPAA Requirements are Business Associates Required to Follow?

The HIPAA requirements business associates are required to follow depend on the service being provided to or on behalf of a covered entity. If an individual or organization is providing a service to a covered entity that does not require uses and disclosures of PHI the individual or organization is not a business associate and does not have to follow any HIPAA requirements.

Thereafter, business associates must follow all applicable standards of the Security and Breach Notification Rules and – where provided – the Privacy Rule (see §160.102). This “compliance yardstick” can be amended by the terms of a Business Associate Agreement – and often is amended with regards to reporting security incidents that do not result in a data breach.

This could mean that a cloud service provider with “no view access” to PHI has to follow minimal Security Rule requirements, while an organization providing medical imaging services to a hospital may have to comply with the applicable standards of all the HIPAA Rules. However, there are also exceptions to the definition of a business associate as explained in this article.

Who Decides the HIPAA Requirements for Workforce Members?

The term workforce is defined in HIPAA as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate”.  Volunteers can include members of the clergy.

Under the Federal common law of agency, covered entities and business associates are liable for HIPAA violations attributable to an act or omission by a member of the workforce while fulfilling their role for the covered entity or business associate. Therefore, it is the covered entity or business associate who decides the HIPAA requirements for each member of the workforce.

To meet this requirement, covered entities and business associates must develop policies and procedures so that members of the workforce can fulfil their roles in compliance with HIPAA. Workforce members must receive HIPAA training on policies and procedures applicable to their roles, participate in a security awareness program, and undergo periodic refresher training.

Vendors of Personal Health Devices and HIPAA Compliance

Most manufacturers and vendors of personal health devices that create, collect, store, or transmit PHI qualify as covered entities or business associates under HIPAA – but some do not. Those that do not qualify as HIPAA covered entities or business associates are still required to comply with the Breach Notification Rule if they suffer a breach of unsecured PHI.

In such cases, vendors of personal health devices must notify affected individuals, the Federal Trade Commission (rather than HHS’ Office for Civil Rights), and – depending on the scale of the breach – the media. It may also be necessary to notify affected individuals’ State Attorneys General depending on the healthcare data privacy and security rules in force in each state.

Individuals and organizations unsure about who is required to follow HIPAA requirements, what requirements must be followed, and which members of the workforce require HIPAA training should seek professional compliance advice. A lack of knowledge about the HIPAA Rules will not excuse an individual or organization from a penalty in the event of a HIPAA violation.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement