The Health Insurance Portability and Accountability Act (HIPAA) does not protect all health information. Nor does it apply to every person who may see or use health information.
HIPAA applies to covered entities, business associates and their subcontractors.
Covered Entities
Health Care Providers
Health care providers get paid to provide health care. They include
- doctors
- dentists
- hospitals
- nursing homes
- pharmacies
- urgent care clinics
Health care providers must comply with HIPAA only if they transmit health information electronically in connection with covered transactions. Most providers transmit information electronically to carry out functions such as processing claims and receiving payment and are required to comply with HIPAA.
Health Plans
Health plans pay the cost of medical care. They include
- health insurance companies
- health maintenance organizations (HMOs)
- group health plans sponsored by an employer
- government-funded health plans (Medicare, Medicaid)
- most other companies or arrangements that pay for health care
Health Care Clearinghouses
Health care clearinghouses process information so that it can be transmitted in a standard format between covered entities. They often act as a go between for health care providers and health plans which means that they rarely deal directly with patients (e.g. may take information from a doctor and put it into a standard coded format that can be used for insurance purposes).1
Business Associates
A business associate creates, receives, maintains or transmits protected health information on behalf of a covered entity or another business associate acting as a subcontractor.2
Services
Business associates can perform many different services. Business associates often perform services that do not involve patient interaction including
- accounting
- actuarial
- administrative accreditation
- benefit management
- billing
- consulting
- data aggregation
- data analysis
- data transmission
- legal
- management
- patient safety activities (limited)
- practice management
- processing or administering claims
- quality assurance
- repricing
- utilization review
A common example of a business associate with whom patients may interact is a company that offers a personal health record to individuals on behalf of a covered entity.
Responsibilities
Covered entities must execute written contracts with their business associates to make sure they safeguard protected health information according to HIPAA standards. Business associates must do the same with any of their subcontractors who can be considered their business associates.3
The Department of Health and Human Services (HHS) website contains more information on business associate relationships and also provides sample language for business associate agreements.4
Business associates must comply with their contractual obligations to covered entities. In addition, business associates are directly liable for violations of the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule—meaning that they are subject to most of the same privacy and data security standards that apply to covered entities and may be subject to HHS audits and penalties.5
Subcontractors
Subcontractors that create, maintain or transmit protected health information on behalf of a business associate have the same legal responsibilities as a business associate under HIPAA—meaning privacy- and security-related legal responsibilities flow downstream to subcontractors performing work for a business associate.6
For example, a hospital’s business associate may hire an outside company to shred documents containing protected health information. The outside company (subcontractor) would be required to comply with most HIPAA rules as a business associate and would also be bound by a contract with the business associate rather than the covered entity (hospital).
Hybrid Entities
Hybrid entities performs both HIPAA-covered and non-covered functions as part of its business. A few examples are
- a large corporation that has a self-insured health plan for its employees
- a university with a medical center
- a grocery store that has a pharmacy
When an organization elects to be treated as a hybrid entity, only the portion of the company that is a covered entity (called the health care component) is subject to HIPAA. Hybrid entities must ensure that the health care component does not disclose protected health information to another non-covered component of the business and must also safeguard electronic protected health information.7
The HIPAA Privacy Rule applies to protected health information, and the HIPAA Security Rule applies to electronic protected health information.8
Health Information
Health information is any information (including genetic information) that is created or received by a
- health care provider
- health plan
- public health authority
- employer
- life insurance company
- school or university
- health care clearinghouse9
and relates to
- a person’s past, present or future physical or mental health or condition
- treatment provided to a person
- past, present, or future payment for healthcare an individual receives
Health information can exist in any form or medium including paper, electronic or oral.
Protected Health Information
Protected health information is individually identifiable health information that is held or transmitted by a covered entity or its business associate.
Individually identifiable health information identifies—or can be used to identify—a person. It includes demographic and other information that identifies a person such as
- name
- address
- date of birth
- Social Security number10
Information Not Covered
Health Information in Employment Records
HIPAA does not apply to health information in employment records. This includes a covered entity’s employment records.11
Most Health Information in Education Records
Health information in education records that are subject to the Family Educational Rights and Privacy Act (FERPA) is not considered protected health information under HIPAA.12
Health Information Regarding a Person Who Has Been Deceased for More Than 50 Years
For more information on the health information of deceased individuals, see the HHS website’s resource.13
De-Identified Health Information
De-identified health information has either had 18 types of identifiers removed or been the subject of an expert determination that there is a very small risk that information could identify an individual. De-identified data is often the subject of debate because of the possibility of re-identifying an individual.14