Not every organization engages with HIPAA – the Health Insurance Portability and Accountability Act – in precisely the same way. It’s an important distinction that people too often forget. Depending on the type of work you do, your business may be subject to different rules and regulations under HIPAA.
The only constant is that if you work with Protected Health Information (PHI) in any capacity, you need to be compliant. The alternative is not a route you want to explore. That way lies huge regulatory fines, potential lawsuits, and – if you’re a small business – the likelihood of total failure.
What you need to do instead is endeavor to understand HIPAA and your role under it. Work to figure out the data you need to protect, where it resides, and how you need to protect it. The first step in that process lies in knowing what classification you fall under.
Let’s talk about that.
Generally speaking, a covered entity is an organization or agency that works directly with healthcare data. They provide healthcare services of some kind to their clientele, and receive payment for those services. More importantly, they transmit and manage protected health information as part of their regular business operations.
Generally such organizations fall under two camps. Either they employ medical practitioners in some capacity, or they provide a critical service for patients such as insurance, medicare, or medicaid. This also means there are certain health organizations to which HIPAA does not apply.
Covered entities might include
- Healthcare providers such as hospitals, doctor’s offices, and specialist clinics
- Care service providers such as nursing homes, rehab centers, and pharmacies
- Healthcare clearinghouses. These are organizations that solely process or aid in the processing of health information. They might include repricing billing services, a community health information system, or a “value-added” switch/network.
- Health plan providers – essentially, any health insurance or medicare company.
- Research firms whose research is entirely dedicated to the medical industry.
- Laboratories responsible for performing tests and medical examinations.
Entities not subject to HIPAA include
- Life insurance agencies
- Workers compensation firms
- Schools/school districts
- Gyms, assuming they do not provide physiotherapy that requires the transmission of PHI
- Massage therapists and holistic clinics
A Hybrid Entity falls somewhere in between a covered entity and a regular organization. While some of their services and business activities fall under HIPAA, others do not. In the case of Hybrid Entities, their departments or lines of business that deal with PHI are treated as separate entities from the rest of the organization.
The components of the organization that performs actions associated with covered entities must be clearly-defined, and it is the onus of the organization itself to make the distinction. What we would advise is, with the guidance of a legal expert, looking at each segment of your business individually to see if it requires HIPAA compliance.
Treat each segment as its own organization. Ask yourself – if this line of business were examined in isolation, would it be subject to HIPAA? To help you along, we’ll tie this section off with a few examples of hybrid entities:
- Universities and other research institutions
- IT companies such as application developers and cybersecurity consulting firms
- Counties and municipalities
- Web or application hosts
A Business Associate is any organization that works with a covered entity in some capacity, assuming their work involves the use or disclosure of PHI in any way, shape, or form. It’s also possible for one Covered Entity to be a Business Associate of another Covered Entity. Some examples of services that will likely require a Business Associate agreement include:
- Data analysis
- Claims processing
- Quality assurance
To determine if your business (or another organization working with your business) should sign a Business Associate Agreement, take a look at the data that’s being shared. Is the data anonymized up to HIPAAS de-identification standards, or is it still possible to identify the individuals from which the data originate? More importantly, are you working exclusively with PHI, or are you managing employment information and financial data related to staff?
You may be subject to additional regulations if that’s the case.
To determine if PHI has been properly de-identified…
- Check to see that all 18 types of identifies have been removed for both the individual and all relatives, employers, or household members associated with the individual:
- Geographical information
- Telephone numbers
- Vehicular information
- Fax numbers
- Device identifiers/serial numbers
- Email addresses
- IP addresses
- Medical record numbers
- Biometric identifiers (ie. fingerprints, voiceprints)
- Health plan beneficiary numbers
- Full-face photographs
- Account numbers
- Certificate/license numbers
- Any other data which could reasonably be used to identify the individual
- Ensure the data has been reviewed by an expert – identified under HIPAA as “a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.”
If the data in question does not meet both of these criteria, call a lawyer to draft and sign a Business Associate agreement. And even if you think the data might be de-identified, it’s always better to speak to an expert. Find a legal professional schooled in HIPAA and give them an overview of the work you’re doing.
HIPAA can be dense. It can be difficult and complex. But it’s something you must endeavor to understand, for the sake of your organization.
You need to know your role in protecting the personal data of the patients your business works with. You need to know your role in ensuring your business partners do the same. Because if you don’t you’re going to run afoul of regulatory agencies.
But worse still, you could ruin the lives of the people who trusted you with their care.Follow Liberty Center One: