In this lesson, you'll learn what HIPAA is, the role it plays in healthcare, and who is mandated to follow its requirements, along with relevant real-world examples.
What is HIPAA?
HIPAA is an acronym that stands for – Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark act to provide the following:
- The portability of insurance
- The protection and privacy of healthcare information
- The standardization and efficiency in healthcare data
- The prevention of discrimination and fraud
What is HIPAA's Role in Healthcare?
HIPAA gives the U.S. Department of Health and Human Services the responsibility of adopting rules to help individuals and companies keep important health information private.
HIPAA protects against unauthorized disclosure of any protected health information that pertains to healthcare patients.
HIPAA establishes a national set of security standards for protecting certain health information that is held or transferred electronically. In addition to privacy and security, administrative provisions were also included in HIPAA to improve the efficiency and effectiveness of the healthcare system.
These provisions include:
- Specific transaction standards and code sets
- A national standard of unique identifiers for employers, health plans, and healthcare providers
- Data security and electronic signatures
Pro Tip #1: HIPAA compliance is highly dependent on the size, function, administration, and type of entity or business association. Therefore, this training module is not intended to be a comprehensive HIPAA compliance guide.
Warning: Entities and business associates that are regulated by HIPAA's privacy and security rules are obligated to comply with all federal and state requirements and should not rely on this training alone as a source of legal information or advice. In addition, to ensure compliance with HIPAA, covered entities and business associates should regularly perform a risk assessment to track access to PHI and periodically evaluate the effectiveness and security measures that have been put into place.
Who is Mandated to Follow HIPAA's Requirements?
HIPAA law applies directly to two particular groups known as covered entities and business associates, and these can include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Tech companies
- Cloud service providers
- Anyone with access to PHI
What is a Healthcare Provider?
A healthcare provider is any provider of medical or other health services or any organization or person who transmits health information in electronic form. This includes organizations and individuals who provide billing services or are paid in connection to services in the course of doing business. Common examples include:
- Physicians
- Dentists
- Optometrists
- Nurses
- Mental health providers
- Radiology centers
- Chiropractors
- Psychologists
- Pharmacies
- Durable Medical Equipment (DME) providers
- Hospitals
- Ambulance companies
- Home healthcare workers
- Social workers
What is a Health Plan?
A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare.
What is a Healthcare Clearinghouse?
A healthcare clearinghouse is a public or private entity that processes healthcare transactions from one form to another in a required format. An example would be a third-party billing service that ensures that all information between a doctor's office and an insurance company complies with all HIPAA requirements.
Pro Tip #2: HIPAA applies to employers only to the extent that they operate in one of these three groups. Furthermore, the same standards apply to covered entities in both the public and private sectors.
If a company offered healthcare services and treatment to employees onsite – like an onsite clinic – the employer would be a covered entity and would be required to follow all HIPAA requirements.
What is a Business Associate?
A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place:
- A risk assessment plan
- Proper training
- Specific policies and procedures
Examples of business associates include:
- IT vendors
- Call centers
- Court reporters
- Cloud providers
- Legal services providers
- Suppliers and manufacturers with access to PHI and ePHI
Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA).
The BAA states that a business associate will only use protected health information for proper purposes and will safeguard it from misuse. Business associates must also comply with all HIPAA security requirements and will ensure administrative, physical, and technological safeguards are in place.
If a business associate violates the BAA, they will be in violation of the contract with the covered entity and in violation with HIPAA. In which case, the business associate will be held accountable for all penalties from both violations.
Pro Tip #3: If a business associate uses subcontractors, HIPAA requires contractual agreements between them. Subcontractors are held to the same HIPAA requirements when it comes to protected health information.
Related Q&A
What does HIPAA stand for?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (or simply the HIPAA Act). It is a United States privacy law with the intention to protect patient medical information and ensure confidential communication between patients and medical professionals.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal U.S. law designed to provide privacy standards to protect sensitive patient health information provided to health insurers, billing companies, doctors, hospitals and other health care providers. The act is meant to ensure this sensitive information is not disclosed without the patient's consent or knowledge.