The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is applicable to all entities in the Healthcare Industry. It outlines the rules and regulations with regard to the use and disclosure of protected health information (PHI) by organizations in the industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCR) enforces it. While healthcare providers who directly work with patients are aware of the regulation, it is crucial to understand the entire landscape of the healthcare service delivery ecosystem to which the Act applies. The insights below clarify the answer to another commonly asked question ‘Who needs to be HIPAA compliant?’.
There are three types of organizations that need to be HIPAA compliant:
- Covered Entities
- Business Associates (third-party service providers who work with covered entities)
- Subcontractors (Business Associates of Business Associates)
Who is covered under HIPAA?
Covered Entities | Business Associates | Subcontractors | |
---|---|---|---|
Description | A Covered Entity consists of 3 types of organizations that directly work with patients and administer healthcare. They are: A Healthcare Provider, A Health Plan & A Healthcare Clearing House. | A “business associate” is a person or entity that performs specific functions or renders services to a covered entity, which involve the use or disclosure of protected health information. A covered entity can be a business associate of another covered entity. | Business Associates hire subcontractors to process, create, or store PHI. They usually don’t have a business associate agreement or a direct relationship with covered entities. However, because they handle patient data, they need to be HIPAA compliant. |
Examples | A Healthcare Provider includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies… if they transmit any information electronically | Services rendered by business associates are: legal; actuarial; accounting; web-hosting; managed IT and security services; financial, consulting; management; accreditation; data aggregation, data transmission; administrative; accreditation agencies, medical equipment service companies. | A hosted service provider like Amazon Web Services is a classic example of a subcontractor. With the increase in cloud-based services, there is an increased dependence on subcontractors by covered entities and business associates. |
A Health Plan includes Health Insurance Companies, HMOs, Company Health Plans, Government programs that pay for healthcare like Medicaid, Medicare, Healthcare programs for veterans / military | Some examples of business associate functions and activities include:
• data analysis, processing or administration
• claims processing or administration
• utilization review
• quality assurance
• billing
• benefit management
• practice management
• repricing | ||
A Healthcare Clearing House includes entities that process nonstandard health information that they receive from another entity into a standard (e.g. a standard electronic format / data content) or vice versa | |||
HIPAA Compliance | Mandatory | Mandatory | Mandatory |
Business Associate Agreement | Required between a Covered Entity and a Business Associate / Subcontractor | Required between a Covered Entity and a Business Associate / Subcontractor | Required between a Business Associate and Contractor |
Penalties, Fines & Jail Time | Applicable & Direct | Applicable & Direct | Applicable & Direct |
Organizations under all three categories are required to register with the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR) is authorized to enforce all HIPAA rules, including compliance with new best practices shared by them on a regular basis.
If you are wondering whether your organization is covered under HIPAA or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.
Related Links: