When we talk about HIPAA and HIPAA compliance, the nature of the issue can seem overwhelming and complicated unless we first explain what HIPAA compliance is. In a nutshell, HIPAA compliance means abiding by the rules and meeting the obligations of the Health Insurance Portability and Accountability Act, commonly known as HIPAA. HIPAA compliance also includes obeying some other laws that are similar to HIPAA, for example the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA compliance is intricately linked with the concept of Protected Health Information (PHI), which is sometimes used interchangeably with the term “individually identifiable health information”. This can encompass a large range of things. Individually Identifiable Health Information, from the definition given in the text of the law, means:
Any information, including demographic information collected from an individual, that is created or received by a health care provider, health plan, employer, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
This is an incredibly broad range of things, as it can include any information that could reasonably be used to identify someone. This can include data such as IP addresses, genetic information, or biometric information – such as voice or fingerprints.
Knowing what we mean when we talk about HIPAA compliance is very important as it allows us to examine what we must do to be HIPAA compliant, depending on the situation. It also helps us to understand what type of company or group needs to be HIPAA compliant, as different parts of HIPAA and its related laws are applicable according to the structure involved and what it does.
Covered Entities and Business Associates
There are two main classifications when it comes to companies that are subject to HIPAA: Covered Entities and Business Associates. Covered Entities are generally things like health care providers (such as hospitals or clinics), health insurance agencies, or heath care brokers and clearing houses. These and other covered entities are defined as entities which, in the process of carrying out their regular activities and as mentioned in the definition above, create, store, or share PHI.
This may include, for example, a hospital which creates PHI through the records its doctors make about a patient; or an insurance company which receives PHI to process claims and payments.
Business Associates are similar, but not exactly the same: generally, business associates are companies or subcontractors that help covered entities by performing some service on behalf of the covered entity that involves the use or disclosure of PHI. These are typically administrative tasks, but not always, and they may include legal, consulting, or data management activities. A direct employee of a covered entity, for the intents of HIPAA, is not a business associate.
Businesses that are covered entities in their own regard may also act as business associates to other covered entities. For the relationship between a covered entity and their business associate to be HIPAA compliant, there must be an agreement in place which among other factors, establishes permitted and required uses and disclosures of PHI by the business associate and which calls for appropriate security to be in place.