About a month ago, we had a call with IT management of a regional dental plan. During the call, this question came up: "How do I know when my obligation for email encryption ends?" In a nutshell, they were curious to learn more how email encryption responsibility works for Covered Entities.
Here are the topics we'll cover in this post:
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are referred to as Covered Entities. The 3 categories of HIPAA Covered Entities are:
As you can see from the above, Covered Entities can be institutions, organizations, or persons. Learn more: Covered Entities [HHS]
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses Protected Health Information (PHI) to define the type of patient information that’s protected by law. PHI is an important factor for HIPAA compliance PHI isn’t just confined to medical records and test results.
In fact, any information distributed by a business associate that can identify a patient and is used or disclosed to a covered entity during the course of care is considered PHI. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI.
Read full article: What is Protected Health Information (PHI)?
By law, the HIPAA Privacy Rule applies only to Covered Entities. Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations. If these services involve the use of protected health information, it means that organization is a Business Associate.
In summary, HIPAA compliance regulations apply to both Covered Entities and the Business Associates that serve them.
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.
Read full article: What does it mean to be a Business Associate?
A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).
If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.
Read full article: Business Associate Agreement Provisions
Now that we've covered basic HIPAA terminology, we're ready to determine when liability for a Covered Entity or Business Associate ends once a secure email has been delivered. Our staff dug deep into the HIPAA Omnibus Rule to find the correct answer.
In the middle paragraph of page 5634, we see that: "Further, covered entities are not responsible for safeguarding information once delivered to the individual."
Once a secure email has been delivered to the end recipient's system, the covered entity or business associate has fulfilled their obligations for the HIPAA Privacy Rule.
