The Health Insurance Portability and Accountability Act, which is more commonly referred to as HIPAA, is a law of the United Sates of America that governs various aspects of data management that must be followed by so-called HIPAA-covered entities, but who is subject to HIPAA and what exactly are HIPAA-covered entities?
HIPAA covered entities are defined in the HIPAA legislation as health plans, healthcare clearinghouses and healthcare providers who transmit any health information in electronic form in connection with a transaction covered by subchapter 160.103. We will look at these more closely in a moment, but more or less, this means people or organizations that transfer any data that is defined as protected health information (PHI) for any of the purposes which the Department of Health and Human Services has enacted standards for. Examples of these purposes include processing insurance claims related to healthcare, data analysis, quality assurance billing, and other similar activities.
What type of entities?
Health plans is a grouping which can include a large number of subgroups, such as companies providing health insurance, certain government programs that pay for treatment or care, such as Medicare, and others such as health plans for military personnel and veterans.
Clearinghouses treat healthcare data that has not been standardized and bring it into line with more standard formats which other entities are more accustomed to dealing with. Indeed, one of the founding principals of HIPAA was to introduce more standardization across the healthcare industry to save time and facilitate administrative processes.
The most easily understood of these grouping is healthcare providers, which is quite intuitive and refers to doctors, dentists, nurses, hospitals, clinics, pharmacies, nursing homes and other similar people and structures.
HIPAA rules also apply to another category of organizations known as business associates, as well as to subcontractors of the business associate involved in treating or transmitting PHI.
What are Business Associates?
Business Associate is the term used to refer to people or companies that carry out services linked to PHI on behalf of HIPAA-covered entities. This may mean that they access, share, store or otherwise make use of PHI in carrying out their service for the covered entity. As the range of services related to PHI that can be provided to covered entities is huge and quite varied, many different types of service provider may be considered as a business associate. Some examples of business associates include cloud storage services, lawyers, consultants, billing services, collections agencies and many others. Organizations which may be HIPAA-covered entities in their own right may also be a business associate of another HIPAA-covered entity.
A crucial step in the relationship between a covered entity and their business associate is the implementation and signing of a Business Associate Agreement (BAA). These agreements must be in place and in force before any PHI can be transmitted from the covered entity to the business associate. Any transfer made without or outside such an agreement is not compliant with HIPAA rules. The BAA establishes the roles and responsibilities for each party of the agreement. As such, it is an important factor in securing patients’ data as it ensures no element is overlooked by one party thinking something was being managed by the other party.