HIPAA regulations are designed to safeguard the protected health information of patients. This requires implementing rigorous standards for privacy, cybersecurity, risk management, and data integrity. Compliance takes time, effort, and money, so it’s important for businesses to know who HIPAA applies to, when, how, and why.
What Businesses Does HIPAA Apply To?
In broad terms, HIPAA applies to any business that transmits electronic PHI for transactions covered by HIPAA regulations, such as billing a patient’s insurance company or authorizing a medical procedure. More specifically, HIPAA regulations focus on covered entities and business associates. Who do these groups include?
Hospitals, Clinics, and Healthcare Practices
Healthcare organizations are one of the largest groups of HIPAA-covered entities:
- Hospitals
- Private practices
- Medical clinics
- Nursing homes
- Dental offices
- Pharmacies
Organizations must adopt administrative, physical, and technical safeguards. For example, hospitals must appoint a HIPAA officer to monitor and coordinate security and privacy compliance efforts.
Insurance Companies
HIPAA also applies to health plans, HMOs, and health insurers. These organizations must follow HIPAA regulations when processing and storing patient data. The Breach Notification Rule requires notifying affected patients and the HHS in the event of unauthorized disclosures.
Telehealth Providers
The HIPAA Privacy Rule impacts any type of electronic communication with patients, from live chats and video conferencing to messages and emails. Part of ensuring data security is using HIPAA-compliant platforms with the necessary configurations.
Business Associates
Third-party businesses that work with a covered entity must follow all applicable HIPAA regulations for the project, such as risk governance policies, privacy standards, and data security practices. Examples of business associates include:
- Medical transcription services
- Software platforms and tools (e.g., Zoom, Microsoft Office 365, etc.)
- Cloud storage providers
- IT and cybersecurity businesses
- Business consultants and claims specialists
To become HIPAA compliant, covered entities and business associates must create a detailed agreement that outlines the contract’s scope, the services required, and HIPAA responsibilities.
Small Businesses
All covered entities must meet HIPAA requirements, whether they have five employees or 500. That said, HIPAA regulations consistently emphasize the terms “reasonable and appropriate.”
This means private practices have significant leeway in determining what data security measures to implement. Still, they must have a person in charge of HIPAA compliance, develop an adequate privacy policy, and take steps to avoid data breaches, unauthorized access to patient information, and ransomware attacks.
Companies With Self-Insured Health Plans
HIPAA regulations can apply to employers in some circumstances. If your organization offers a self-insured health plan for employees, you must comply fully with HIPAA regulations. Technically, the health plan is an independent legal entity, but it’s still necessary to make sure the necessary safeguards are in place.
There are a few exceptions, such as group plans with less than 50 enrollees. Moreover, if you provide sponsored healthcare coverage from an outside insurer — also called a “fully insured” health plan — you may be exempt from the majority of HIPAA requirements.
Who Does HIPAA Apply to in Healthcare?
HIPAA regulations also cover the actions and activities of individuals in a healthcare environment. To avoid HIPAA violations, it’s critical to understand what employees are allowed to do with PHI.
Doctors, Nurses, and Medical Staff
Medical personnel come into contact with PHI on a daily basis. Doctors must know how to navigate HIPAA regulations when creating or adding to patient records, carrying out consultations, and communicating with colleagues.
HIPAA applies to all types of medical professionals:
- General practicioners
- Surgeons
- Anesthesiologists
- Physical therapists
- Radiologists
A common Privacy Rule violation that doctors must watch out for is accidentally disclosing PHI to unauthorized individuals. While HIPAA allows discussing test results with family members who are involved in the individual’s treatment or recovery, it’s necessary to get the patient’s consent (direct or implied) first.
Mental Health Professionals
HIPAA applies to mental healthcare just as much as other types of treatment. Psychologists, psychiatrists, therapists, clinical social workers, counselors, and other psychiatric professionals must protect patient data and privacy.
There is a special set of requirements for psychotherapy notes in HIPAA. It’s normally acceptable for doctors to share PHI for treatment purposes without the patient’s consent, but not psychotherapy notes. The only exception is when disclosing the records is necessary for law enforcement or to prevent the individual from harming themselves.
Home Health Workers
Organizations that provide home healthcare have to follow the same HIPAA standards as hospitals and nursing homes. Discussing an individual’s care with strangers online or using PHI for marketing purposes without consent are HIPAA violations.
Other Employees of Covered Entities
It’s not only medical professionals who can be punished for HIPAA violations. Janitorial staff, IT technicians, and independent contractors can trigger major problems if they access sensitive data without permission. One of the most common HIPAA violations is hospital staff snooping in the private records of acquaintances.
Does HIPAA Apply After Death?
The Privacy Rule applies to the PHI of deceased individuals for 50 years after death. Covered entities must respect the person’s instructions, such as not sharing certain details about medical conditions when specifically requested.
There are several exceptions to HIPAA rules after death. For example, disclosure is authorized for public health purposes, law enforcement requests, and funeral arrangements.
Covered entities can also share PHI with the individual’s appointed executor or legal representative. Medical professionals can use their judgment when sharing PHI with relatives and friends who were involved in caring for the deceased.
Who Doesn’t HIPAA Apply To?
A common misconception is that HIPAA applies to all situations where a person’s health information is involved. In reality, PHI only involves patients.
Even though popular wearables and apps gather intimate health data, such as heart rate and blood pressure, tech companies aren’t subject to HIPAA regulations. Manufacturers that make continuous glucose monitors aren’t covered entities.
Similarly, HIPAA only applies to health insurers, not other insurance companies. Workers’ compensation, liability coverage, and personal injury protection (a type of car insurance) are all specifically exempt from HIPAA.
Does HIPAA Apply to Your Operations?
Navigating HIPAA definitions can be complex, especially as modern brands diversify into multiple markets. The first step is knowing who HIPAA applies to in your organization and what your obligations are. Compyl is a cutting tool for HIPAA compliance mapping and automation. Contact us for more information today.
