The 2003 Privacy Rule was the first HIPAA-related document to use the term HIPAA “covered entities.” However, it wasn’t clear who exactly those covered entities were, and health plans, health care providers, and health care clearinghouses who electronically transmitted health information were listed as covered entities.
According to law, a “covered entity” is anyone who provides treatment, payment, and operations in healthcare. This includes health care providers, such as clinics, hospitals, doctors, nursing homes, and pharmacies. It also includes health clearinghouses, health insurance companies, health plans, certain government programs that pay for healthcare, such as Medicaid and Medicare, and Health Maintenance Organizations (HMOs).
Which organizations do not fall under the HIPAA Act?
According to the US Department of Health and Human Services, not all organizations have to follow the rules of the HIPAA Act. Some of these are:
- Employers and life insurers.
- Some municipal offices and law enforcement agencies.
- Most schools.
- Many state agencies, for example, child protective agencies.
According to the HHS the definition of what healthcare is protected, all identifiable health information transmitted or held by a covered entity in any form, whether it be oral, paper, or electronically, is protected. In other words, all healthcare providers are subject to the Privacy Rule, regardless of how they transmit, share, create, or store health information. But how does this affect business associates?
Business associates and subcontractors
A “business associate” provides services and functions involving the use or disclosure of protected health information on behalf of a covered entity. These services include data analysis, providing administrative services, and processing claims. Business associates can be a wide range of entities and individuals like accountants, attorneys, data storage firms, and data management companies. A member of the covered entity’s workforce is not a business associate.
Business associates fall under the HIPAA Act and must comply with the rules. Covered entities must enter into a business associates agreement (BAA) with their business associates, ensuring that they are aware of and abide by the HIPAA rules. Business associates must implement safeguards to ensure the integrity and confidentiality of PHI and prevent unauthorized access and disclosures. They must also notify their covered entity of any breaches and provide individuals with copies of their PHI if requested to do so.
Sometimes a business associate subcontracts work to another entity or person known as a business associate subcontractor. If that entity is required to access PHI to do its contracted duties, HIPAA rules apply and must be followed. Business associates must therefore also enter into a business associate agreement with subcontractors.
These are covered entities whose business activities can include both covered and non-covered functions. Several entities can operate as hybrid entities, for example, IT companies, municipalities, and research centers.
Now that we know business associates, subcontractors, and hybrid entities need to be HIPAA compliant, what about researchers?
Does HIPAA apply to researchers?
The answer is yes. Under the HIPAA Privacy Rule, covered entities may disclose health information for research purposes, provided that patients have authorized the disclosure and use of their PHI. A business associate agreement is not required, but covered entities must enter into a data use agreement with the researcher ensuring that HIPAA Rules will be followed.
Keeping all of this in mind, what penalties will covered entities and business associates face if they violate HIPAA Rules?
Penalties for Covered Entities & Business Associates
Covered entities who knowingly violate HIPAA Rules face a fine of up to $50 000 as well as one-year imprisonment. If an offense is committed under false pretenses, the penalty can be increased to $100 000 with up to five years in prison. Crimes committed with the intent to transfer, sell, or use PHI for malicious harm, or personal gain, can lead to fines of $250 000 and imprisonment for up to ten years.
Certain HIPAA Rules were extended by the HITECH Act to business associates, including entities that receive, maintain, create, and transmit PHI on behalf of covered entities. If business entities fail to comply with HIPAA obligations, they can be directly liable for HIPAA penalties.
Let’s have a look at some frequently asked questions regarding who HIPAA applies to.
First of all, we need to make sure what exactly a HIPAA compliance program means.
It consists of a compliance strategy, including analyses and risk assessments as well as the implementation of safeguards to protect the integrity and security of PHI. It also includes an understanding of processes for identifying and reporting HIPAA violations and effective employee training.
Employees of covered entities and business associates should be familiar with and must comply with HIPAA rules and regulations. The employer’s workplace policies should provide details of the consequences for violations and the process for investigating violations of HIPAA. If these policies do not exist, the employer is in violation of HIPAA.
What if an employee violates HIPAA by accident?
Accidents can and do still happen despite every precaution taken and should be taken seriously if they occur. If an unauthorized employee produces a form of accidental PHI disclosure, they must ensure that it is reported and corrected immediately.
Covered entities and business associates must implement measures and do all they can to prevent violations and breaches, even if they are accidental. The circumstances and damage caused by each violation must be looked into and assessed, which will determine the outcome of the investigation.
What is the Minimum Necessary Standard for disclosing protected health information?
This HIPAA Rule requires covered entities and business associates to ensure that access to PHI is limited to the minimum amount of information necessary to satisfy the intended purpose of a request.
This standard applies to disclosures and uses of PHI that are permitted under the HIPAA Privacy Rule and the accessing of electronically protected health information (ePHI).
Covered entities’ Minimum Necessary Standard policies and procedures should identify the persons within the covered entity who need access to the information to carry out their duties, the types of health information required, and conditions appropriate to such access.
But does HIPAA apply during public health emergencies?
The Secretary of the Department of Health and Human Services (HHS) may waive provisions of the HIPAA Privacy Rule when:
- The President declares a disaster or emergency.
- The Secretary of HHS declares a public health emergency.
Hospitals can also disclose PHI without written patient consent if it is required for treatment, patient referrals, and consults with other healthcare providers. If requested, covered entities notify public health authorities when a patient becomes infected with COVID-19 because this information is necessary to protect public health and safety.
Covered entities, business associates, subcontractors, and researchers all fall under HIPAA Rules and Regulations to access Personal Health Information. Whether they are intentional or accidental, violations of these rules are seen in a very serious light and may carry hefty penalties.
Coggno has a wide range of HIPAA related online corporate training courses.