If you handle what’s called protected health information (PHI), then this is an important question to be asking because HIPAA violations can result in some serious penalties.
What is PHI you ask? Good question. PHIis any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment. In other words, PHI is information in your medical records, including conversations between your doctors and nurses about your treatment. PHI also includes your billing information and any medical information in your health insurance company's computer system.
So, who needs to be HIPAA compliant?
The short answer is that the HIPAA rules apply to both Covered Entities and their Business Associates (HHS.gov). But, that just leaves us with more questions. What is a Covered Entity? Am I considered a Business Associate?
Let’s start with Covered Entities. According to the U.S. Department of Health & Human Services (HHS) Healthcare Providers, Health Plans, and Healthcare Clearinghouses are all Covered Entities. This one is pretty straightforward. Healthcare Providers are exactly who you might think. Hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies are considered Healthcare Providers and need to be HIPAA compliant.
Examples of Health Plans include health insurance companies, HMOs, company health plans, Medicare, and Medicaid. In addition, employers and schools that handle PHI in order to enroll their employees and students in health plans fall under the definition of a Health Plan and need to be HIPAA compliant.
Healthcare Clearinghouses are a little more esoteric. A Clearinghouse takes in information from a healthcare entity, puts the data into a standard format, and then spits the information back out to another healthcare entity. They need to be HIPAA compliant too.
Covered Entities are by and large ahead of the curve when it comes to HIPAA compliance. But, on September 23, 2013 the final Omnibus Rule made Business Associates of Covered Entities directly liable for compliance with certain HIPAA requirements. Plus, the new rules expanded the definition of Business Associate to include most subcontractors that access PHI. These changes have thousands of companies scrambling to become compliant. Does this apply to you? Are you a Business Associate?
Simply put, a Business Associate is a vendor or subcontractor who has access to PHI.
A more legalese definition of a Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
The vendors that we are talking about can be data storage or document storage services (doesn’t matter if they can view the PHI that they maintain), providers of data transmission services, portals or other interfaces created on behalf of Covered Entities that allow patients to share their data with the Covered Entity, and electronic heath information exchanges. If a Business Associate (vendor) delegates a covered function or activity to someone, then that entity is considered a subcontractor.
Some vendors avoid PHI like the plague; they don’t want this information anywhere near their service. But, avoidance doesn’t necessarily excuse a vendor from becoming compliant. If a Covered Entity (customer) sends PHI through a vendor, and the vendor’s servers store this information, then they are considered a Business Associate and subject to the HIPAA Security Rule. There is no mitigation of liability for a vendor that refuses to enter into a business associate agreement (BAA). In point of fact, not entering into a BAA is a violation in and of itself.
Here are some examples of potential Business Associates:
- Data processing firms or software companies that may be exposed to or use PHI
- Medical equipment service companies handling equipment that holds PHI
- Shredding and/or documentation storage companies
- Consultants hired to conduct audits, perform coding reviews, etc.
- Lawyers
- External auditors or accountants
- Professional translator services
- Answering services
- Accreditation agencies
- e-prescribing services
- Medical transcription services
In contrast, these folks are NOT Business Associates:
- Covered Entity’s Workforce
- Individuals or companies with very limited and incidental exposure to health information, such as a telephone company, electrician, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
So to sum it all up, if you handle PHI then you most likely need to be HIPAA compliant.
Still not sure if you need to be HIPAA compliant? No problem, email us your questions at blog@truevault.com. TrueVault gets to see a wide variety of use cases, and we are happy to share our experiences.