Paubox blog: HIPAA compliant email made easy

Who HIPAA does not apply to and why

Written by Kirsten Peremore | May 21, 2024

HIPAA applies to covered entities, and their business associates are legally responsible for protecting your health information. Non-covered entities do not fall under the same strict rules and do not have to comply with HIPAA. 

 

The distinction between a covered entity and a non-covered entity

The NHI offers the following guidance on which entities fall under the category of covered entity, Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.”

A "covered entityunder HIPAA includes health-related organizations like hospitals, health insurance companies, and any healthcare providers who deal with medical records electronically. These entities must protect sensitive patient information, ensuring it's secure and private. They must allow patients to access their records and notify them if there's a security breach involving their information.

On the other hand, a "non-covered entitydoesn't have these obligations because they don't engage in activities that require adherence to HIPAA's stringent privacy rules. This could include companies outside the healthcare sector, such as life insurers or employers, who handle health information but not in a way that's regulated by HIPAA.

See also: What is a covered entity?

 

How to know if HIPAA applies to your organization?

By thoroughly evaluating operations, especially interactions with electronic PHI (ePHI) and their role in the healthcare ecosystem, organizations can identify if HIPAA applies to them. 

HIPAA covers health plans, healthcare clearinghouses, and healthcare providers that electronically transmit health information for billing or claims processing transactions. If an organization stores, processes, or transmits patient health information in any form, it must comply with HIPAA. 

Business associates—third parties that perform services for covered entities and handle PHI, such as billing companies, IT providers, or cloud storage services—are also subject to HIPAA. 

 

What to do if HIPAA applies to your organization

The HHS provides that, “A major goal of the Security Rule is to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”

The HIPAA Security Rule guides healthcare organizations in handling protected health information (PHI) by setting standards for securing electronic PHI. It requires them to implement administrative, physical, and technical safeguards. These include controlling who can access PHI, protecting against unauthorized access, and ensuring data integrity and availability. 

The best practices required by HIPAA include: 

  1. Conduct a risk analysis: Assess potential risks and vulnerabilities to PHI within your organization.
  2. Develop and implement policies and procedures: Establish guidelines for handling PHI, managing privacy and security, and responding to potential breaches.
  3. Designate a Privacy Officer and a Security Officer: Appoint individuals responsible for ensuring compliance and overseeing privacy and security initiatives.
  4. Train your workforceProvide regular training to all employees on HIPAA regulations, privacy practices, and security measures.
  5. Establish technical safeguards: Implement access controls, encryption, and secure communication channels for transmitting electronic PHI.
  6. Create physical safeguards: Restrict access to facilities and workstations containing PHI.
  7. Implement administrative safeguards: Develop processes for workforce clearance, information access management, and security incident procedures.
  8. Enter into Business associate agreements (BAA): Establish contracts with any business associates that handle PHI on your behalf, outlining their responsibilities for maintaining compliance.
  9. Develop a breach notification plan: Create a protocol for notifying affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media in case of a PHI breach.

See also: What is a business associate agreement?

 

Who is not required to follow HIPAA? 

Entities not required to comply with HIPAA include a variety of organizations and individuals who do not handle health information in a way that makes them subject to HIPAA's rules. 

Some more ambiguous organizations that HIPAA usually doesn't apply to include:

  • Life insurers, for example, may collect health information but do not transmit it electronically for billing or claims processing purposes. 
  • Employers are also exempt because they handle employee health information for purposes like health benefits administration, but not in the context covered by HIPAA. 
  • Workers' compensation carriers, which deal with health information to process claims, are similarly not covered. 
  • Many schools and school districts, although they may collect health information on students, are governed by different privacy laws such as FERPA (Family Educational Rights and Privacy Act). 
  • State agencies like child protective services and law enforcement agencies also fall outside of HIPAA's scope because their primary functions do not involve the electronic transmission of health information for transactions covered by HIPAA.

The transactions covered by HIPAA

HIPAA covers a wide range of transactions, communications, and interactions that involve the electronic exchange of health information. This includes: 

  • billing and submitting health insurance claimswhich allows providers to get paid for their services.
  • processing payments and conducting benefit eligibility inquiries.
  • referral authorization requests, where one healthcare provider gets approval from an insurer for a patient to see a specialist, are also included.

It also applies to communications between healthcare providers regarding patient treatment, such as consultations and care coordination. It extends to the sharing of health information with business associates, like billing companies, data analysts, and IT support services that handle PHI on behalf of covered entities.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Does HIPAA apply to life insurers?

No. Life insurers do not process electronic health information for healthcare-related transactions, so HIPAA does not cover them.

 

Are employers required to comply with HIPAA?

No. Employers handle employee health information for administrative purposes but do not engage in electronic healthcare transactions.

 

Do workers' compensation carriers need to follow HIPAA regulations?

No. Workers' compensation carriers manage health information to process claims, which is outside HIPAA’s scope.
View full post