Who Needs to Follow HIPAA Guidelines? Covered Entities Explained.

HIPAA Guidelines -Covered Entities Explained

HIPAA has evolved to become much more than what it was at its beginnings in 1996. Over the years, new pieces of legislation have been added and the standards themselves now encompass electronic health records and newer issues like PHI on social media. In the vast healthcare environment, it is important for providers to understand exactly how HIPAA guidelines applies to them and their practices.

Who Is Included?

The term “covered entity” is used to describe healthcare companies and providers that are required to follow HIPAA guidelines to maintain privacy of patient protected health information (PHI). Covered entities Covered entities include three main categories:

  • Health plans: insurance companies, Medicare
  • Healthcare clearinghouses: Insurance claims processing, billing, coding
  • Healthcare providers: clinics, hospitals, surgery centers that accept payments from health plans or send information to healthcare clearinghouses.

A Few Exceptions For HIPAA Guidelines

Although these three categories cover most organizations, a few specifically defined exceptions to the definition are exempt from the HIPAA requirements. One example of this would be self-administered employer health plans with fewer than 50 participants. Another exempt category is healthcare providers who do not transmit PHI electronically, like rural ambulance services.

It is a common misconception that HIPAA applies to all healthcare information, at all times. It is important to remember the original intent of HIPAA – health insurance portability and accountability. Patients who deal with a physician who only takes cash payment and does not deal with any health plans or medical clearinghouses are not necessarily bound by HIPAA. An alternative medical provider who only deals with self-pay patients is unlikely to be covered by HIPAA.

Lately there has been an explosion of online doctors and services who prescribe common medications like Viagra, in response to questionnaires. These services are typically cash and are likely not protected by HIPAA. On the other hand, online physicians that use a HIPAA-compliant telehealth platform usually accept insurance payments and information is therefore protected by HIPAA.

Don’t Forget Business Associates

Covered entities often have third-party suppliers and sub-contractors that are required to comply. These are called business associates, and enter into HIPAA agreements called business associate agreements (BAA). Business associates have the same responsibilities under HIPAA as covered entities when working with PHI.

Some examples of BAs in healthcare are:

  • IT consultants working with the EHR.
  • An attorney who accesses medical records in a case.
  • Third-party billing services for a physician.
  • An independent medical transcriptionist working from home.

Business associates who also employ subcontractors who access PHI are responsible for entering into a separate BAA with their subcontractors to remain HIPAA compliant. An example of this would be a computer IT service that did work with an attorney’s electronic case files that held medical information.

Medical Research

Without effective medical research programs, medical advancement would soon come to a halt. With so much healthcare data available electronically, it is very useful to be able to analyze historical and current healthcare data across populations.

HIPAA guidelines allows for three different scenarios for research:

  1. Covered entities can disclose PHI to researchers, provided that their patients have also authorized the use and disclosure of their PHI for research purposes. This situation does not require a business associate agreement.
  2. In another scenario, the data disclosed must be part of a limited data set, meaning that it is not the entire health record, but specific data elements that are sharable for research activities, public health activities, and healthcare operations without obtaining prior authorization from patients.
  3. De-identified data. Data that is not associated with any patient identifiers, such as name, number, date of birth, etc. can be used for research and analysis and is not considered PHI under HIPAA.

Protecting patient privacy is important – and we at FormDr take our job seriously. As the provider of HIPAA compliant online forms that contain sensitive PHI, security and compliance is at the front of what we do. Need more HIPAA resources? Check out our other blog posts and feel free to contact us with questions about products and HIPAA compliance.