Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
The vast majority of Americans (over 92%) have health insurance, with more than 195,000,000 people enrolled in private plans. This statistic makes the penalties for HIPAA noncompliance even more staggering financially: as high as $50,000 per violation. Is your business subject to HIPAA regulations? To answer this question, first, you need to know what a covered entity is.
Any individual or organization that is required to follow HIPAA rules for privacy, data security, breach notifications, and other regulations is a covered entity. There are three main categories of HIPAA covered entities:
All covered entities process, store, or transmit protected health information in some way. PHI refers to electronic healthcare data that can be used to identify patients, such as medical records or billing information.
All healthcare providers that handle electronic PHI have to be HIPAA-compliant, no matter the size or location of the business. This means that even private practices are covered entities if they communicate with patients via email or send electronic bills to insurers.
Healthcare providers offer a variety of services related to patient care and support, from analyzing blood tests to assisting with rehabilitation. The HIPAA definition of healthcare includes doctor visits, medical procedures, X-rays, physical therapy, palliative care, and even prescriptions.
Some healthcare providers that need to comply with HIPAA include:
Patient data related to mental health is also protected by HIPAA. Psychologists, psychiatrists, and therapists have to follow the same privacy and security guidelines for ePHI.
HIPAA guidelines define health plans as private or government-funded medical coverage. These include personal health insurance purchased by individuals, family plans, and group policies managed by employers. Who is responsible for HIPAA compliance with health insurance?
Blue Cross Blue Shield, Cigna, United, Humana, and Aetna are a few brands of health insurance that must be HIPAA compliant. This means establishing robust data security, network defenses, and access control measures to prevent unauthorized disclosure of PHI.
HMOs combine insurance premiums with a network of approved healthcare providers. HIPAA regulations apply to both the insurance and medical sides of operations. Similar health plans include Preferred Provider Organizations and Exclusive Provider Organizations.
According to the U.S. Census Bureau, the majority of Americans are enrolled in employer health plans (55%). Small and mid-size businesses often purchase group health insurance for employees, sharing the cost of premiums.
Larger enterprises sometimes create a self-funded health plan that uses the organization’s assets to cover claims. In both cases, the employer is considered a HIPAA covered entity — even when purchasing insurance from a third-party plan.
It’s easy for HIPAA violations to catch employers unaware. Many don’t realize they have to follow special data privacy and security measures regarding employee policies, lab reports, and other paperwork related to claims.
Healthcare clearinghouses, also known as billing clearinghouses, act as intermediaries between care providers (hospitals, etc.) and health plans. They process claims, verify accuracy, manage denials, and perform many other tasks.
Doctors send bills to the medical claims clearinghouse, which checks for errors or missing information, inputs the correct codes and formatting, and submits the finished claim to the insurer (and vice versa). The process involves large amounts of PHI, so clearinghouses must always be HIPAA compliant and are considered covered entities.
Community health information systems also fall under the HIPAA umbrella. Any non-governmental organization, faith group, or community group that stores ePHI while helping members manage health plans or healthcare must follow HIPAA standards for privacy and security. HIPAA technology requirements adapt to the size and available resources of the organization, but good data security practices are a must.
Many healthcare providers outsource some services or responsibilities to independent companies. For example, hospitals may hire an outside law firm to defend against a malpractice lawsuit. These third-party businesses are not considered covered entities. Instead, HIPAA regulations call them business associates.
Here are a few more examples of business associates:
Don’t forget digital tools. Healthcare providers must verify that videoconferencing platforms are HIPAA-compliant before using them for telehealth. Zoom and Microsoft Teams can both meet HIPAA regulations, depending on their configuration.
Unlike covered entities, business associates don’t have to comply with HIPAA regulations during their everyday operations. Whenever they perform work on behalf of a covered entity, however, the business associate must follow all HIPAA guidelines for security and privacy.
In practice, this means any business associates must have HIPAA-compliant policies, assigned security and privacy officers, appropriate controls, and the necessary technology to safeguard ePHI. HIPAA requires covered entities to create a detailed Business Associate Agreement that outlines ePHI processing, permissible data uses, authorized disclosures, and requirements for reporting data breaches.
Not all businesses related to health information or insurance need to meet HIPAA:
The Centers for Medicare & Medicaid Services offers a downloadable decision tool that helps organizations analyze their HIPAA responsibilities and evaluate third-party providers.
If you’re unsure whether your business meets the definition of a covered entity for HIPAA regulations, we can help. Compyl is a compliance automation platform that has helped many organizations achieve and maintain HIPAA compliance. Contact us for assistance today.
