Most folks think they know where, when, how, and why the HIPAA Rule applies. The reality is, most folks don’t actually know as much as they think about the HIPAA rule. In fact, a local news organization decided to misspell the acronym in one of their articles from April 2021 (sadly, KXAN deleted the article after much backlash for spelling it wrong).
The HIPAA rule doesn’t apply to individuals if they decide to tweet out your surgery results. The rule doesn’t apply to your employer if they ask you if you’ve gotten your COVID-19 vaccine. The rule doesn’t apply to tech companies that sell fitness trackers that hold heart rate information. So if HIPAA doesn’t apply to any of these common instances, then who does it apply to? And how would it apply?
| Type | Descriptions | Examples |
|---|---|---|
| Covered Entity | Healthcare Providers, Health Plans, Healthcare Clearinghouses. | Doctors, Clinics, Health Insurance Companies, Dentists, Nursing Homes, Entities processing healthcare information from other entities. |
| Business Associate | Entities that perform work on behalf of CE’s and come into contact with PHI. | Consultants, CPA firms with access to PHI, an attorney with access to PHI for business reasons. |
| Hybrid Entity | A single, legal entity whose business activities include covered and non-covered functions. | Universities, any company offering healthcare services to employees and is not primarily a CE. |
Covered Entities
A Covered Entity, or CE, is anything you can probably imagine that would have health-related information in print or electronic form (ePHI). These entities include pharmacies, chiropractors, psychologists, and any other entity transmitting and storing health-related information that can be used to uniquely identify an individual. In the PHI letter, we discussed the 18 types of PHI you can learn about. All CE’s have to comply with the different HIPAA Privacy and Security rules that govern ePHIm which we will discuss in later letters.
All individuals, organizations, and agencies that meet the requirements outlined in HIPAA to be considered a CE must protect the privacy and security of health information. This includes reporting any breaches to the Office of Civil Rights (OCR) and the affected individuals. his, of course, only applies when 500 or more individuals are affected by the said breach. If the total number of affected individuals is unknown, an estimate should be provided (we’ll cover this more later in the Breach Notification Rule).
Business Associates
These are the lesser-known affiliates of CE’s and MUST comply with the HIPAA rule. Business Associates, or BA’s for short, are entities performing services on behalf of a CE and come into contact with ePHI.
Imagine an accounting firm is contracted by a hospital to perform regular audits over the CE’s financial statements. This firm will most likely come into contact with ePHI during the audit process, especially if they’re performing effectiveness procedures over the billing process. The firm would need to conclude that the correct people were billed the correct amounts and each payment was processed correctly. This process would cause the BA to come in contact with ePHI and need to prove it is compliant with HIPAA.
Most BA’s would be your typical consulting firm performing procedures on behalf of the CE. This would also include, to a certain degree, individual contractors operating as a business. These folks would need to comply with the CE’s standards of data protection and data privacy covered by the HIPAA rule. And as it goes with the Breach Notification Rule, the same would apply to BA’s.
Hybrid Entities
So CE’s and BA’s are pretty simple to understand. To recap, CE’s are your front-end entities like hospitals and doctors, while BA’s are the back-end entities like accounting firms or technology consultants. So what would a HE be?
Hybrid Entities are a strange combination of the two where the organization isn’t primarily a CE, but it has a service that handle ePHI. The best example would be a university, which isn’t primarily a healthcare provider, but it has medical services it offers to students. These services, obviously, would come in contact with ePHI. Because of this, that service must be HIPAA compliant.
Another example would be any entity that chooses to include or exclude a research lab that functions as a healthcare provider, but doesn’t engage in electronic transactions. These aren’t too common since we live in such a digital age, but they still exist and in some cases, must comply with HIPAA to the extent they’re liable.
And like all CE’s and BA’s, it often comes down to the circumstances of the data and breach whether the HE is required to comply with HIPAA!
Refresh a few Questions
Q: What does HIPAA stand for?
A: Health Insurance Portability and Accountability Act
Q: Is my company allowed to ask me if I’ve been vaccinated for COVID-19?
A: Yes! Your company is allowed to ask you if you’ve been vaccinated! HIPAA doesn’t protect you from your own company’s questions. In some very rare cases, where your employer is a CE or BA, they may not be allowed if they intend to use that information in a way not compliant with HIPAA. However, that shouldn’t be the case 95%-99% of the time.
Q: Does HIPAA apply to companies like Apple, WHOOP, or other non-CE’s?
A: That’s a big N-O! Those companies aren’t CE’s or, in most cases, BA’s. Although it is interesting to note that Apple is trying to get into the Healthcare industry. See this article for more context around this. The article is from 2019, but it highlights some points that should be considered.
Q: Does HIPAA protect individuals? In other words, can I sue another individual if they expose my personal data?
A: Yes, to an extent. You are protected from CE’s and BA’s mishandling your information, but not if another individual mishandles it. We need to break these areas apart though… If a doctor, who is a CE (or works for one) mishandles your data, they are typically protected through insurance or their CE (the CE, and not the doctor is on the hook). The doctor, however, will have to answer to their employer or governing body if they’re found to be non-compliant. An individual mishandling data at a BA or HE would be held accountable in the same way as a doctor. The regulation applies to CE’s, BA, and HE’s, but not to an individual sharing your information with others. See this newsletter for an example of how this plays out.
If you have questions I didn’t answer, please reach out to me via the Contacts page on the website! I always welcome other opinions and questions from interested parties!
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.
[…] you read this, please check out the article about what a business associate is and what they […]