Compliance with federal laws and industry regulations is a priority for concern for all healthcare organizations. However, some would think that only specific institutions are covered by the Health Insurance Portability and Accountability Act (HIPAA) rules.
Understanding who should and who needs to be HIPAA compliant will save you from potential penalties and long-term reputational damages. If your organization or business handles protected health information (PHI) in any capacity, then you must abide by the guidelines set by HIPAA.
Let’s dive into the details a bit further.
Table of Contents
Who Needs to Comply With HIPAA?
Covered entities
Covered entities should follow the national standards for privacy and security as set by HIPAA. The HIPAA Privacy Rule and Security Rule identify the following as “covered entities”:
- Healthcare providers: This category includes healthcare professionals, such as doctors, nurses, hospitals, clinics, pharmacies, and any other entity that provides medical services or treatment to patients.
- Health plans: Health insurance companies, Health Maintenance Organizations (HMOs), and government health programs (e.g., Medicare and Medicaid) that pay for healthcare services are considered health plans and must comply with HIPAA.
- Healthcare clearinghouses: According to the Computer Security Resource Center, a healthcare clearinghouse is any public or private entity, such as billing services, repricing companies, “value-added” networks, and switches that convert the health information received from another entity from a nonstandard format to a standardized format. In the same way, they also convert the health information for the receiving party. For example, a clearinghouse for medical claims will act as an intermediary, receiving electronic claims from healthcare practices, checking them for errors, and securely sending them to insurance carriers. This process ensures PHI protection according to strict HIPAA standards.
- Any health care provider who conducts financial and administrative transactions electronically: Examples of these are providers that send bills or transfer funds digitally. The government has set standards for how these electronic tasks should be done while safeguarding PHI.
Business associates
HIPAA compliance extends to entities that provide services or perform functions on behalf of covered entities and have access to PHI. These are known as business associates and include:
- Third-party billing companies: Organizations that handle billing and claims processing on behalf of healthcare providers fall under this category.
- Medical transcription services: Businesses offering medical transcription services must adhere to HIPAA regulations due to their access to patient health information.
- Cloud service providers: Cloud-based service providers (e.g., EHR and practice management solutions) that store, process, or transmit patient information on behalf of covered entities are considered business associates.
- Legal firms: Law firms representing healthcare providers are considered business associates, particularly if they have access to PHI and have signed a business associate agreement (BAA).
Subcontractors
The HIPAA Omnibus Rule clarified that subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are to be considered business associates themselves. This means subcontractors are also subject to the exact HIPAA requirements as primary business associates, including signing business associate agreements (BAAs) with the covered entities they serve.
Penalties for Non-Compliance With HIPAA
If a HIPAA breach happens in your organization, the Office for Civil Rights (OCR) under the US Department of Health and Human Services (HHS) will investigate the breach. In the case of a HIPAA violation, the Code of Federal Regulations will impose civil monetary penalties.
The penalties for HIPAA violations vary per tier and usually depend on the severity or extent of the offense:
- Tier 1 (unknowing offense): Fines for violations falling under this category can range from $100 to $50,000 per incident, with an annual cap of $1.5 million.
- Tier 2 (reasonable causes): Fines for violations under this category usually range from $1,000 to $50,000, with an annual maximum of $1.5 million.
- Tier 3 (willful neglect with corrections): Fines under this violation tier usually ranges from $10,000 to $50,000, with a maximum annual limit of $1.5 million.
- Tier 4 (willful neglect without corrections): Penalties under this tier are the highest, usually ranging from $50,000 or higher per violation, with an annual maximum of $1.5 million.
In addition to these financial penalties, non-compliance with HIPAA can lead to reputational damages, loss of trust from patients and stakeholders, and legal actions (e.g., class-action lawsuits) from affected individuals.
Does Your Organization Need to Comply With HIPAA?
Understanding who needs to be HIPAA compliant is one of the first steps toward compliance. Following HIPAA regulations is critical for any individual, company, or business handling PHI.
Whether you are a covered entity, business associate, or subcontractor, you are legally and ethically responsible for safeguarding the PHI you handle from unauthorized access, data breaches, and other malicious acts.
If your organization happens to be covered by HIPAA rules, it’s best to ensure compliance as soon as possible.