Does HIPAA Compliance Apply to Me?
- David Craig, MD
- August 2, 2016
- October 26, 2023
If you’ve ever done a search for HIPAA compliance, you’ll know that there is a lot of information available on various HIPAA regulations and violations, including some directly from the government.
So what’s the issue? Most of it is dense, and there is little guidance on how it impacts emerging care models and the use of new digital tools, such as email, texting, and apps.
To help combat this confusion, we’re going to spend the next few blog posts covering some essential, need-to-know HIPAA tips and explanations, hopefully in a way that won’t make your eyes glaze over.
HIPAA Compliance: Does It Matter for Me?
This is the #1 important question in all matters HIPAA. First, it is essential to understand that HIPAA is federal law and is therefore administered by a national department, the Department of Health and Human Services (HHS). The final word on HIPAA rests with HHS, and the law potentially applies to everybody in the United States.
With that said, the actual scope of HIPAA for people providing healthcare is much smaller. From HHS: “The HIPAA Rules apply to covered entities and business associates.”
This by itself is not very useful until you substitute in the meanings of “covered entity” and “business associate,” both of which are technical terms in the law.
HIPAA Compliance: What Is a “Covered Entity”?
A “covered entity” is any healthcare provider that conducts certain transactions in electronic form (45 CFR §160.103). Health plans and healthcare clearinghouses are also covered entities, but that’s not relevant for most doctors.
What Is a “Business Associate”?
“Business associate” also has a specific definition, but the essential point is that anybody conducting business with a covered entity is also subject to HIPAA if that business includes exposure to protected health information (PHI) from the covered entity.
HIPAA requires covered entities to obtain written assurance of compliance from potential business associates before disclosing PHI to them, so if you’re a doctor storing patient information on Gmail, and Google hasn’t signed a business associate contract for you, you might be afoul of the law already.
What Are “Transactions in Electronic Form”?
You may have noticed a strange bit of language in the definition for covered entity: “…any healthcare provider that conducts certain transactions in electronic form.” What is that about?
Technically, HIPAA only applies to providers who are transmitting financial or administrative healthcare information electronically, such as computerized insurance claims or eligibility checks.
In modern practice, almost everybody is doing at least some type of electronic transaction, but if you somehow aren’t, then HIPAA won’t apply to you. That sounds strange, but the Centers for Medicare and Medicaid Services (CMS) provides a confirmatory flowchart, if you want to check our math.
Important note: If another entity does your electronic transactions for you, then for HIPAA compliance and coverage purposes, that still counts as you doing it.
Do the HITECH Act and Omnibus Rule Impact HIPAA Compliance?
HIPAA (Health Insurance Portability and Accountability Act) was passed into federal law in 1996, and parts of it were updated by the HITECH Act, which was passed in 2009. HHS develops federal regulations based on these laws, and these are the actual rules that health care providers must follow. HHS initially wrote such rules after the passage of HIPAA, and they recently updated them with an “Omnibus Rule.”
The only important take-away is to follow the current regulations and guidance that HHS has published; they will have already taken all of the relevant legislation into account.
HIPAA Compliance: What About State Law
Great question, glad you asked. In general, HIPAA provides a “floor” of privacy protection, meaning that states cannot have laws that are more lenient than HIPAA. States can, however, have laws that are more strict or far-reaching than HIPAA, and many do. Understanding HIPAA is a good starting point, but it’s also important to be informed about health privacy law in each state in which you practice.
HIPAA Compliance Is Intricate!
Yes, even the bare-bones version is still complicated. Time for an executive summary.
Does HIPAA Compliance Apply to Me?
YES. If you are providing healthcare in the United States, you can safely assume, with a high degree of sureness, that HIPAA compliance is important for you.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.