The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established standards for protecting the security and privacy of sensitive patient data. The law applies to covered entities and their business associates. 

But there’s a simpler way to answer the question: do I need to be HIPAA compliant?

If your organization creates, stores, processes, or transmits protected health information, you must adhere to HIPAA regulations. 

Under HIPAA, protected health information — commonly referred to as PHI — includes any personal data that can be directly or indirectly linked to a specific individual. 

HIPAA rules apply to both covered entities and business associates, but the way the law is administered varies slightly based on which category an organization falls into.

What’s the difference between a covered entity and a business associate?

Covered entities include:

  • Healthcare providers: doctors’ offices, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, labs
  • Health plans: health insurance companies, HMOs, company health plans, and government programs that pay for healthcare including Medicare/Medicaid and veterans’ healthcare programs 
  • Healthcare clearinghouses: organizations that process nonstandard health information to conform to standards for data content or format on behalf of another organization

Business associates are individuals or organizations that provide services on behalf of a covered entity and also interface with PHI or ePHI. Examples of business associates include:

  • Software providers whose products interact with systems that contain ePHI, as well as cloud service providers, cloud platforms, and file storage companies 
  • Claims processing services
  • Data analysis services
  • Quality assurance services
  • Billing services
  • Attorneys or legal consulting services
  • CPA firms
  • Accounting services

Consultants employed by a covered entity are considered part of that covered entity’s workforce and are not considered business associates.  

HIPAA compliance requirements for covered entities and business associates

The HIPAA Privacy Rule requires that covered entities get “satisfactory assurances” from business associates that they will take the necessary steps to safeguard any protected health information they may receive or create on behalf of the covered entity. These assurances must be made in writing in the form of a Business Associate Agreement (more on BAAs below). 

Business associates may only use protected health information for the express purposes defined by the covered entity. They must also protect that information from misuse by following the requirements laid out in the HIPAA Privacy Rule. Business associates are responsible for ensuring any subcontractors also agree to comply with HIPAA rules in the form of a BAA. 

If a covered entity discovers that a business associate has suffered a data breach or otherwise mishandled PHI, they must take reasonable steps to address the breach and end the HIPAA violation —or terminate their contract with the business associate. If none of those steps are possible, the covered entity is required to report the issue to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). 

What to include in a HIPAA business associate agreement (BAA)

Business Associate Agreements define the business associate’s responsibilities regarding PHI and the steps they will take to comply with HIPAA rules. These agreements include a few key elements: 

  • A description of the permitted and required uses of PHI by the business associate
  • Provisions that the business associate will not use or disclose PHI other than is permitted or required by the contract or by law
  • Requirements that the business associate will implement proper safeguards to prevent the unauthorized use or disclosure of protected health information

There are some situations where covered entities are not required to have a business associate agreement in place before disclosing PHI. These include: 

  • When a covered entity discloses PHI to facilitate treatment for an individual patient. For example, transmitting a patient’s medical record to an outside specialist or laboratory. 
  • When a public health plan such as Medicare discloses PHI to an administrator to determine eligibility for enrollment
  • When a covered entity discloses PHI to a health plan for payment purposes
  • When the business associate’s services do not involve the use or disclosure of PHI, such as an electrician or plumber, or when the business associate acts as a conduit for PHI, such as the US Postal Service or private couriers
  • When PHI is disclosed among covered entities that are part of an organization health care arrangement (OHCA), such as when a group health plan purchases insurance from a health insurance issuer or HMO
  • When PHI is disclosed to a researcher for research purposes, either with patient authorization or as a limited data set
  • When a financial institution processes payment card transactions, clears checks, or processes electronic funds transfers

FAQs

Who or what is a covered entity?

Under HIPAA, a covered entity is a health care provider, health plan, or health care clearinghouse who electronically transmits health information in connection with any transaction for which HHS has adopted a standard. Generally, these transactions are related to billing and payment for services or insurance coverage.

What are 10 covered entities under HIPAA?

Under HIPAA, 10 examples of covered entities are:

  1. Doctors
  2. Clinics
  3. Psychologists
  4. Dentists
  5. Chiropractors
  6. Nursing Homes
  7. Pharmacies
  8. Health insurance companies
  9. Company health plans
  10. Health care clearing house

Please note that the first seven only fall under the definition of a covered entity if they submit HIPAA transactions, like claims, electronically.

What is not a HIPAA covered entity?

All persons or institutions that collect individually identifiable health information are not considered covered entities. Only those that collect PHI and conduct electronic transactions for which HHS has adopted a standard are covered. So, for example, researchers are not considered a HIPAA covered entity unless they conduct these electronic transactions.

What are the patient's rights within a covered entity?

Under the HIPAA Privacy Rule, patients have a right to access the PHI about them. HIPAA covered entities are generally required to provide individuals, upon request, with access to this information regardless of when the information was created, whether its stored in paper or electronic systems, or where the PHI originated, among other factors. Patients have the right to inspect and/or obtain a copy of the PHI or direct the covered entity to transmit a copy to a designated person or entity of their choice. You can find more details here.

What is a HIPAA business associate?

A HIPAA business associate is an individual or entity that either performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity or provides services to a covered entity. For example, a third-party administrator that assists a health plan with claims processing is a HIPAA business associate.

What types of companies need to be HIPAA compliant?

Companies that need to be HIPAA compliant include two main categories: Covered Entities and Business Associates.

  • Covered Entities: These are the primary organizations that provide treatment, payment, and operations in healthcare. Covered entities include:
  • 1. Healthcare Providers: Such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit any health information in electronic form in connection with transactions for which HHS has adopted standards.
  • 2. Health Plans: Including health insurance companies, HMOs (Health Maintenance Organizations), company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans healthcare programs.
  • 3. Healthcare Clearinghouses: Organizations that process nonstandard health information they receive from another entity into a standard (i.e., electronic) format or vice versa.
  • Business Associates: These are individuals or entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A business associate can be a person or an entity and includes services such as:
  • 1. Billing companies
  • 2. Claims processing companies
  • 3. Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services
  • 4. IT providers and email encryption services
  • 5. Document and data storage companies (including cloud storage)
  • 6. Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate

Who is HIPAA mandated by?

HIPAA is mandated by the U.S. federal government and was enacted by the United States Congress. It is administered and enforced by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). HIPAA, which stands for the Health Insurance Portability and Accountability Act, was initially signed into law in 1996. The primary goal of the law is to protect the privacy and security of health information and to ensure individuals' rights are protected concerning their health information. The OCR is responsible for investigating complaints and enforcing compliance with the HIPAA rules.