Who is subject to HIPAA?
Entities subject to HIPAA include most – but not all – healthcare providers, health care clearinghouses, and health plans when the provision of healthcare insurance is the primary activity of the health plans. In addition, business associates that provide a service to or on behalf of a covered entity are also subject to HIPAA when the service includes the creation, collection, storage, or transmission of Protected Health Information.
Though only one section of the Health Insurance Portability and Accountability Act of 1996 is directly concerned with patient privacy, it causes a lot of concern for healthcare organizations. As there are hefty fines for HIPAA violations, any organization that may be subject to HIPAA should check whether they fall within its remit before handling any patient data. That is, they should establish whether they are a HIPAA Covered Entity.
HIPAA defines a Covered Entity in its summary of the HIPAA Privacy Rule as those who “electronically transmit health information in connection with certain transactions”. It goes without saying that this definition is incredibly vague, and consequently, there has been much confusion as to who falls under this definition. According to the Department for Health and Human Service’s website, Covered Entities are considered to be healthcare organizations, health plans, and healthcare clearinghouses.
Even though this definition only includes “electronic” data, HIPAA actually protects all protected health information (PHI), whether it is physical, verbal, or electronic. This extends the definition of a Covered Entity beyond that described above, as any healthcare provider that handles PHI for a HIPAA-covered transaction— regardless of its form – is subject to HIPAA. Covered transactions include healthcare-related operations such as the provision or payment of healthcare.
Any individual employee, volunteer, or individual otherwise under the “direct control” of a Covered Entity must be trained in HIPAA compliance. All employees must be aware of their duties under HIPAA, including how to best protect PHI, and what should be done if they notice a HIPAA violation.
Any third-party entity that has entered into a Business Associate Agreement (BAA) with the Covered Entity (i.e. has become a Business Associate) is also subject to HIPAA. These BAs usually carry out functions or tasks on behalf of the Covered Entity, allowing them to come into contact with PHI. The BAs must ensure that they enact the minimum security protocols needed to safeguard PHI and only use disclosed information for the purpose agreed upon in the BAA. Any subcontractors of BAs must also be HIPAA-compliant.
There are other organizations, aside from those listed above, that may come into contact with PHI. Scientific researchers, for example, may wish to use PHI in their studies. Under HIPAA, PHI can be disclosed to researchers so long as it is done so with the patient’s authorization. No BAA is required, though a separate data use agreement is.
All patients are protected by HIPAA. Though there are some exceptions in which their PHI can be disclosed without full authorization – for example, if required by a court, or during a public health emergency – all Covered Entities and their Business Associates must protect the PHI of all patients equally.