Does HIPAA Apply to Me?
Over the course of Sword & Shield’s years of HIPAA compliance consulting, we have been asked many times, “Does HIPAA apply to me?” In this post, we describe how your organization can determine whether or not you are required to be compliant with the HIPAA regulations for privacy and security of protected health information (PHI).
Introduction to HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a United States regulation designed to protect the personal data collected as part of providing health care to individuals. HIPAA provides a set of minimum data security requirements for organizations that handle protected health information (PHI).
Who Needs to Be HIPAA Compliant?
The HIPAA regulation applies to “covered entities” and “business associates” that handle “protected health information”. In this section, we’ll describe what HIPAA means by “covered entities” and “business associates”. In the next section, we’ll cover what is considered “protected health information” by the HIPAA regulations.
According to the HIPAA regulations, there are three types of covered entities: health plans, health care clearinghouses, and health care providers.
Health plans are organizations that provide medical care or pay the cost of providing medical care. This includes Health Maintenance Organizations (HMOs), Preferred Provider Organizations (PPOs), Medicare, Medicaid, company health plans, etc.
Health care clearinghouses include any organization that receives data from one healthcare entity in one format (either standard or non-standard), converts it to another format (non-standard or standard), and provides it to another entity. Examples include billing services, community health information systems, and any other organization that provides “value added” services to one or both organizations.
Health care providers include anyone who provides health care services. This includes everything from preventative care to rehabilitation to pharmaceutical care. Examples include doctors, pharmacists, nursing homes and hospice workers, and lab technicians.
Business associates are any organization that has a vendor or subcontractor relationship with a covered entity and handles protected health information as part of that relationship. If an organization has access to health information in a digital or physical form or access to systems that generate or store this information, they may be considered a business associate under HIPAA.
What is Considered Protected Health Information (PHI)?
Some types of protected health information (PHI) are obvious, like the contents of a person’s medical record. However, this is not the only information protected by HIPAA. Protected health information also includes:
- Conversations between a patient and their provider about their treatment
- Any medical information stored by the patient’s health insurance provider
- Patient’s billing information
If your organization handles any of these types of information in any form, you may be subject to HIPAA regulations.
Meeting HIPAA Compliance Requirements
Identifying whether your organization is subject to HIPAA requirements is only the first step in the process of becoming compliant with the relevant requirements. Understanding the minimum requirements outlined by HIPAA and techniques for applying these requirements to an organization’s unique situation is necessary to ensure that an organization is not in violation of HIPAA regulations.
Sword & Shield is a top HIPAA compliance company that employs a team of experts that can help you determine whether your organization is subject to HIPAA and, if so, help you to identify and take the necessary steps to meet or exceed HIPAA’s minimum requirements for properly managing protected health information.
Contact us for a free consultation.