{"id":49,"date":"2016-08-02T13:27:49","date_gmt":"2016-08-02T20:27:49","guid":{"rendered":"https:\/\/blog.sprucehealth.com\/?p=49"},"modified":"2023-10-26T06:23:17","modified_gmt":"2023-10-26T13:23:17","slug":"hipaa-compliance-apply-to-me","status":"publish","type":"post","link":"https:\/\/sprucehealth.com\/blog\/hipaa-compliance-apply-to-me\/","title":{"rendered":"Does HIPAA Compliance Apply to Me?"},"content":{"rendered":"

If you’ve ever done a search for HIPAA compliance, you’ll know that there is a lot of information available on various HIPAA regulations and violations, including some directly from the government<\/a>.<\/p>\n

So what’s the issue? Most\u00a0of it is dense, and there is little guidance on how it impacts\u00a0emerging care models and the use of new digital tools, such as email, texting, and apps.<\/p>\n

To help combat this confusion, we’re going to spend the next few blog posts covering some essential, need-to-know HIPAA tips and explanations, hopefully in a way that won’t make your eyes glaze over.<\/p>\n

HIPAA Compliance: Does It Matter for Me?<\/h1>\n

This is the #1 important question in all matters HIPAA. First, it is essential to understand that HIPAA is federal law and is therefore administered by a national\u00a0department, the\u00a0Department of Health and Human Services (HHS<\/a>). The final word on HIPAA rests with HHS, and the law potentially applies to\u00a0everybody in the United States.<\/p>\n

With that said, the actual scope of HIPAA for people providing healthcare is much smaller. From HHS: “The HIPAA Rules apply to covered entities and business associates.”<\/p>\n

This\u00a0by itself is not very useful until you substitute in the meanings of “covered entity” and “business associate,” both\u00a0of which are technical terms in the law.<\/p>\n

HIPAA Compliance: What Is a “Covered Entity”?<\/h2>\n

A “covered entity” is any\u00a0healthcare provider that conducts certain transactions in electronic form (45 CFR \u00a7160.103<\/a>). Health plans and healthcare clearinghouses are also covered entities, but that’s not relevant for most doctors<\/strong><\/span>.<\/p>\n

What Is a “Business Associate”?<\/h2>\n

“Business associate” also has a specific\u00a0definition, but the essential point is that anybody conducting business with a covered entity is also subject to HIPAA if that business includes exposure to protected health information (PHI) from the covered entity.<\/p>\n

HIPAA requires covered entities to obtain\u00a0written assurance of compliance from potential business associates before disclosing PHI to them, so if you’re a doctor storing patient information\u00a0on Gmail, and Google hasn’t signed a business associate contract for you, you might be afoul of the law already.<\/p>\n

What Are “Transactions in Electronic Form”?<\/h2>\n

You may have noticed a\u00a0strange bit of language\u00a0in the definition for covered entity: “…any healthcare provider that conducts certain transactions in electronic form.” What is that about?<\/p>\n

Technically, HIPAA\u00a0only applies to providers who are transmitting financial or administrative healthcare information electronically, such as computerized insurance claims or eligibility checks.<\/p>\n

In modern practice, almost everybody is doing at least\u00a0some type of electronic transaction, but if you somehow aren’t, then HIPAA won’t apply to you. That sounds strange, but the Centers for Medicare and Medicaid Services (CMS)\u00a0provides a confirmatory flowchart<\/a>, if you want to check our math.<\/p>\n

Important note: If another entity\u00a0does\u00a0your electronic transactions for you, then for HIPAA compliance and coverage purposes, that still counts as you doing it.<\/p>\n

Do\u00a0the HITECH Act and Omnibus Rule Impact HIPAA Compliance?<\/h1>\n

HIPAA (Health Insurance Portability and Accountability Act) was passed into federal law in 1996, and parts of it were updated by the HITECH Act, which was passed in 2009.\u00a0HHS develops federal regulations<\/a> based on these laws, and these are the actual rules that health care providers\u00a0must follow. HHS initially wrote such rules after the passage of HIPAA, and they recently updated them with an\u00a0“Omnibus Rule<\/a>.”<\/p>\n

The only important take-away is to follow the current regulations and guidance that HHS has published; they\u00a0will have already taken all of the relevant legislation into account.<\/p>\n

HIPAA Compliance: What\u00a0About State Law<\/h1>\n

Great question, glad you asked. In general, HIPAA provides a “floor” of privacy protection<\/a>, meaning that states cannot have laws that are more lenient than HIPAA. States can, however, have laws that are more strict or far-reaching than HIPAA, and many<\/a> do<\/a>. Understanding HIPAA is a good starting point, but it’s also important to be informed about\u00a0health privacy law in each state<\/a> in which you practice.<\/p>\n

HIPAA Compliance Is Intricate!<\/h1>\n

Yes, even the bare-bones version is still complicated. Time for an executive summary.<\/p>\n

\n

Does HIPAA Compliance Apply to Me?<\/h1>\n

YES<\/span>.<\/strong> If you are providing healthcare in the United States, you can safely assume, with a high degree of sureness, that HIPAA compliance is important for\u00a0you.<\/p>\n

This article is part of a series of posts relating to HIPAA law and regulation. The information provided is\u00a0meant as general guidance only and is not intended to be legal advice.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

If you’ve ever done a search for HIPAA compliance, you’ll know that there is a lot of information available on various HIPAA regulations and violations, including some directly from the government.<\/p>\n","protected":false},"author":1,"featured_media":466,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"slim_seo":{"title":"Does HIPAA Compliance Apply to Me? - Spruce Blog","description":"If you've ever done a search for HIPAA compliance, you'll know that there is a lot of information available on various HIPAA regulations and violations, includi"},"footnotes":""},"categories":[14],"tags":[16,15],"different-template":[],"class_list":["post-49","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hipaa","tag-compliance","tag-hipaa"],"acf":[],"_links":{"self":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/49","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":0,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media\/466"}],"wp:attachment":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/tags?post=49"},{"taxonomy":"different-template","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/different-template?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}