Who is responsible for adhering to HIPAA compliant practices?

Everyone who works within healthcare and who handles protected health information (PHI), is responsible for adhering to HIPAA compliant practices. Any party involved in the use or disclosure of PHI, including business associates (i.e., vendors), must follow HIPAA’s regulations. That is because the HIPAA Act ensures that patients always remain protected.

Adhering to HIPAA and its standards facilitates the safety of patients and their health information. It promotes a trusting patient-provider relationship and ultimately leads to better patient care.

Learn more: HIPAA compliant email: The definitive guide

Who should be HIPAA compliant

According to the U.S. Department of Health and Human Services (HHS), “Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.” The term covered entity applies to healthcare providers, health plans, and healthcare clearinghouses and includes smaller health organizations.

Added along with covered entities are business associates, subcontractors, and sub-business associates. These organizations are vendors that work with covered entities or work with vendors that work with other associates of healthcare organizations. Examples of these organizations include medical billing companies, IT service providers, transcription services, and cloud storage providers.

Covered entities and their business associates are responsible for extensive HIPAA compliance. Furthermore, they are responsible for ensuring the compliance of their staff and anyone who handles PHI. Failure to comply can result in a HIPAA violation, investigation, and possible fine.

HIPAA compliance: A general guide

The Health Insurance Portability and Accountability Act of 1996 is a federal law established to protect sensitive patient information from being disclosed without a patient's knowledge or consent. HHS’ Office for Civil Rights (OCR) is responsible for overseeing and enforcing the act. The HIPAA rules discussed most often with PHI privacy are the Privacy Rule and Security Rule. Together, they provide essential guidelines for the proper protection and disclosure of PHI.

A healthcare organization becomes HIPAA compliant organization by:

• Keeping up-to-date policies and procedures
• Implementing strong physical and technical safeguards
• Signing a business associate agreement with business associates
• Training staff on compliance needs
• Obtaining patient consent when using or disclosing PHI
• Utilizing separate, offline backup for sensitive information

Providers must demonstrate that effort was made to block breaches, whether from human error, a cyberattack, or technical failure. Any healthcare organization that OCR finds noncompliant has committed a HIPAA violation, no matter how the original breach happened. That provider may even find itself on HHS' Wall of Shame and subject to sanctions, angry patients, and a long cleanup period.

Related: Understanding and implementing HIPAA rules

Who HIPAA doesn’t apply to

Non-covered entities don’t need to follow the same strict rules as covered entities and don’t need to comply with HIPAA. Examples include organizations outside the healthcare sector, such as life insurers. Other entities that HIPAA doesn't usually apply to include:

• Employers who handle employee health information for things like health benefits administration
• Workers' compensation carriers who use health information to process claims
• Schools and school districts that collect student health information but are governed by different privacy laws such as FERPA (the Family Educational Rights and Privacy Act)
• State agencies, such as child protective services and law enforcement, whose primary functions do not involve the electronic transmission of health information

As shown in the list above, non-covered entities may handle health information but not in a way that must be regulated by HIPAA. In other words, they don’t engage in activities that require adherence and don't have the same obligations.

Identifying if HIPAA applies to you

If your organization falls into the definition that HHS provides, you are most certainly a covered entity. Moreover, if you work with a covered entity, there’s a chance that you are a business associate or a sub-business associate. If an organization stores, processes, or transmits a patient’s health information in any form, it must comply with HIPAA.

By thoroughly evaluating your operations, especially interactions with electronic PHI (ePHI), organizations can identify if HIPAA applies to them. The Centers for Medicare and Medicaid Services (CMS) provide several useful tools for checking if you are a covered entity. For example, organizations can use the Covered Entity Decision Tool to figure out if HIPAA’s administrative simplification provisions apply to them.

Proving HIPAA compliance

There are no formal certification programs to prove to patients, HHS, or other covered entities that an organization is compliant. That being said, covered entities and business associates can do other things. For example, organizations can complete in-house audits, such as the OCR HIPAA Audit Protocol, to demonstrate that they monitor their HIPAA compliant practices. Furthermore, covered entities can instead hire independent compliance reviewers to confirm adherence.

Ultimately, implementing robust security measures and staying on top of security needs are essential to establishing compliance. Having them in place shows patients and other healthcare organizations that they can be trusted to provide secure patient care.

FAQs

Does HIPAA apply to all healthcare providers?

Yes, HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. These entities are directly responsible for complying with HIPAA regulations.

What is HIPAA compliance?

HIPAA compliance refers to adhering to regulations outlined in the Health Insurance Portability and Accountability Act to safeguard patients’ protected health information (PHI).

Go deeper: What is HIPAA?

How does HIPAA compliance impact patient trust?

When providers are HIPAA compliant, they demonstrate a commitment to safeguarding patient privacy, improving trust in the patient-provider relationship.

Do I need patient consent to share protected health information (PHI) with other entities?

In most cases, covered entities can share PHI without patient consent for treatment, payment, and healthcare operations. However, there are exceptions and limitations, and reviewing the specific requirements outlined in the Privacy Rule is necessary.