The question of who needs to be HIPAA compliant has multiple answers due to the variety of activities within the health insurance and healthcare industries and because of how other laws can impact compliance with HIPAA.
Who needs to be HIPAA compliant is usually answered as covered entities and business associates – covered entities being health plans, health care clearinghouses, and qualifying healthcare providers; while business associates are third party individuals or organizations that provide a service for on behalf of a covered entity. Unfortunately, the answer is not that simple.
Health plans are defined in §160.103 of the Administrative Simplification Regulations as an individual or group plan that provides or pays the cost of medical care – medical care being defined in §2791(a) of the Public Health Service Act as the “diagnosis, cure, mitigation, treatment, or prevention of disease, or amounts paid for the purpose of affecting any structure or function of the body” (i.e., medication and medical equipment).
Therefore, health plans can include health, dental, vision, and prescription drug insurers, health maintenance organizations, long-term care insurers, employer-, church-, and government-sponsored health plans, Medicare, state child health plans, and high risk pools established under state law to provide health insurance coverage or comparable coverage to eligible individuals.
There are exclusions to this definition. Health plans that provide nursing home fixed indemnity policies as their primary activity are excluded, as are employer-sponsored group health plans with fewer than fifty members and any insurance company that provides health benefits secondary to (for example) workers’ comp, automobile insurance, or property insurance.
Health Care Clearinghouses
A health care clearinghouse is an organization that reconfigures health information received in a non-standard format to a standard format (or vice versa) on behalf of a health plan or healthcare provider. Organizations in this category include billing services, repricing companies, and community health information systems – provided their primary activity is reconfiguring health information.
When the HIPAA Administration Simplification Regulations were originally published, HHS acknowledged that health care clearinghouses may have other meanings in other contexts, but emphasized that only health care clearinghouses that reconfigure health information as their primary activity qualify as covered entities in the context of who needs to be HIPAA compliant.
Nonetheless, HHS excludes health care clearinghouses from complying with certain HIPAA standards – for example, providing a Notice of Privacy Practices and complying with patients’ rights provisions – and includes specific provisions that only apply to health care clearinghouses in the Part 162 standards (§162.414 and §162.930) and in the Security Rule Administrative Safeguards (§164.308).
Healthcare providers qualify as HIPAA covered entities only if they conduct transactions electronically for which HHS has published standards in Part 162 of the Administrative Simplification Regulations and if they qualify as a healthcare provider that provides medical services as defined in 42 USC §1395x(u) and §1395x(s) respectively of the Public Health and Welfare Code.
Although this definition covers most healthcare providers, there are exceptions. For example, a homeopathist who provides treatment paid for by a health plan is not a covered entity, nor is a psychologist that bills patients directly. Some rural health centers that do not conduct transactions electronically may also not qualify as covered entities under HIPAA.
Where the question of who needs to be HIPAA compliant get complex is if a healthcare provider who does not qualify as a covered entity provides service to or on behalf of a covered entity as a business associate, they then need to comply with the terms of the Business Associate Agreement between themselves and the covered entity and any applicable standards of the Privacy and/or Security Rules.
Business Associates and Subcontractors
As mentioned previously, business associates are third party individuals or organizations that provide a service for on behalf of a covered entity. Examples of business associates include cloud computing services, email encryption services, web hosting services, password managers, digital media shredding services, outsourced answering services, and Managed Service Providers.
When PHI is disclosed to, or used in connection with, a service provided by a business associate – or created by a business associate on behalf of a covered entity – the business associate is required to comply with the Security Rule and the Breach Notification Rule, and any other applicable standards of the Administrative Simplification Regulations stipulated in the Business Associate Agreement.
Additionally, when a business associate discloses or shares PHI with a downstream business associate or subcontractor (for example, if a business associate uses a cloud computing service to provide their service to the covered entity), the subcontractor must also comply with the Security and Breach Notification Rules and any other terms stipulated in the Business Associate Agreement.
Further Complexities of HIPAA Compliance
In addition to the possibility of healthcare providers that do not qualify as covered entities working as business associates, further examples exist of where HIPAA compliance can be complex. These include when an affiliated entity – a group of legally separate entities affiliated into a single covered entity – includes units with different functions.
For example, if an affiliated entity includes a healthcare provider and a health care clearing house, although it is permissible for PHI to be shared between the two units, any activity conducted by the health care clearing house that is not related to reconfiguring health information has to be isolated from the rest of the affiliated entity’s activities.
The same isolation of PHI is required if, for example, an insurance provider has separable lines of business – one of which is a health plan – or if a college provides medical services to both students (whose medical records are usually covered by FERPA) and members of the public (whose medical records are covered by HIPAA). There are many more similar examples.
Other Examples of Who Needs to be HIPAA Compliant
Other examples of who needs to be HIPAA compliant (to a degree) include developers and vendors of health-related mobile apps. mHealth apps that are not developed by a covered entity or by a business associate on the covered entity’s behalf are not subject to the HIPAA Privacy and Security Rules unless they are downloaded on the direction of a healthcare provider or health plan.
However, although not subject to the HIPAA Privacy and Security Rules, direct-to-consumer apps that collect, store, and transmit personal health information to a develop or vendor – even if the transfer of data is solely for storage – are subject to the HIPAA Breach Notification Rule and all breaches of unsecured health data must be notified to the individual and to the Federal Trade Commission.
Additionally, there have been cases in which organizations needed to be HIPAA compliant on a temporary basis. An example of this occurred between 2004 and 2006 when private companies were allowed to sponsor Medicare prescription cards during the transition to Medicare Part D. Companies that sponsored the cards were required to comply with the Privacy Rule.
How Other Laws Can Also Affect HIPAA Compliance
HIPAA preempts other state and federal laws unless a state or federal law provides more patients’ rights or increase privacy provisions. At the time HIPAA was passed, few laws had provisions meeting these criteria. However, since the passage of HIPAA, multiple state laws and one significant federal regulation have been introduced that can affect HIPAA compliance.
The significant federal regulation is SAMHSA’s Confidentiality of SUD Patient Records (42 CFR Part 2). This regulation prohibits many disclosures of SUD patient records that would otherwise be permitted under the Privacy Rule without an authorization. Importantly for HIPAA covered entities, violations of 42 CFR Part 2 carry the same penalties as violations of HIPAA.
Among state laws that can affect HIPAA compliance, it is important to be aware that some – i.e., the California Privacy Rights Act and the Texas medical Records Privacy Act – apply beyond state boundaries and apply to citizens of the state wherever they are when their health information is, assembled, collected, analyzed, used, evaluated, stored, or transmitted.
Why It Is Important to Know Who Needs to be HIPAA Compliant?
Among the reasons why it is important to know who needs to be HIPAA compliant, your organization could be a covered entity looking for a third party organization to provide a service which requires the disclosure of PHI. You need to know that the third party organization knows they need to be HIPAA compliant before being able to provide a service for or on your organization’s behalf.
Not all organizations acknowledge they need to be HIPAA compliant. For example, several password managers refuse to sign Business Associate Agreements on the basis they cannot access encrypted PHI stored in password vaults. This is despite HHS guidance saying they should. Consequently, any customers of LastPass will be frantically trying to identify if PHI was disclosed in either of the recent data breaches experienced by the non-compliant password manager.
Therefore, if you are a covered entity or a business associate, it is important to know who needs to be HIPAA compliant so you do not inadvertently disclose PHI to an organization that does not have the safeguards in place to protect the privacy of PHI or ensure the confidentiality, integrity, and availability of electronic PHI. If you are unsure about who needs to be HIPAA compliant before disclosing PHI to a third party, you are advised to seek HIPAA compliance advice.