facebook logo

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. Its purpose is to establish common standards across the United States healthcare system so that patient information is protected.

However, there is often confusion from businesses and employees about whether or not HIPAA applies to them. Here’s what you need to know about who HIPAA applies to and how you can ensure compliance if you’re one of those entities.

Who Does HIPAA Apply To?

HIPAA’s privacy rule applies to healthcare providers, healthcare plans, and healthcare clearinghouses that transmit health information through any type of communication method. Put simply, this means it applies to anyone who has access to, needs to use, or needs to disclose private health information (PHI). 

The two most common categories of HIPAA-compliant entities are called covered entities and business associates.

What is a Covered Entity Under HIPAA?

Covered entities (CEs) are individual or group plans that provide or pay the cost of medical care. This could include health, dental, vision, prescription, medicare, or medicaid organizations and those who work within them.

What is a Business Associate Under HIPAA?

Business associates (BAs) are individuals or entities that carry out operations or responsibilities that involve using or disclosing PHI, either on behalf of or as an agent of a covered entity. This could include people or organizations involved in billing, benefits management, quality assurance, legal, and more. 

It’s important to note that a covered entity is liable for the activities of any business associate that is their agent.

What Types of Information Are Covered Under HIPAA’s Privacy Rule?

PHI includes any information that relates to a patient’s past, present, or future physical or mental health condition or payment status, in which there is reasonable belief that it could be used to identify the patient. This could include (but is not limited to) information, such as: 

  • Name
  • Address
  • Birth date
  • Social security number
  • Date of performed health service
  • Lab results, or any other medical information that could be tracked to a specific person

Requirements for Use and Disclosure of Private Health Information

The biggest challenge most face in regard to HIPAA compliance is protecting PHI while simultaneously allowing necessary information to be passed along for the purposes of providing high-quality care. For this reason, it’s important to understand the instances where use and disclosure of PHI is permitted vs. when it’s not.

Instances when PHI may NOT be used or disclosed include: 

  • Communication with unauthorized individuals or entities
  • Whenever using or disclosing PHI is not necessary, even while communicating with an authorized individual or entity. The “minimum necessary” standard states that an individual or entity should only use, disclose, or request the minimum amount of PHI needed to complete the particular task at hand.

Instances when PHI may be used or disclosed include: 

  • As HIPAA’s privacy rule permits
  • When an individual who is the subject (or their personal representative) authorizes it in writing

Instances when PHI MUST be used or disclosed include: 

  • When an individual (or their personal representative) specifically requests it. However, there are exceptions to this, like:
    • Psychotherapy notes
    • Information compiled for legal proceedings
    • Lab results which the Clinical Laboratory Improvement Amendments (CLIA) prohibits access to
    • If the CE or BA believes access to information could cause harm to either the patient or someone else

As an Employee or Supervisor, What Can You Do? 

It is a shared responsibility between employees, supervisors, and entire organizations to ensure HIPAA compliance and PHI protection. Here are tips to help keep confidential information safe. 

  • Avoid sharing PHI with anyone (even coworkers) who may not need to know
  • Avoid discussing PHI in public areas or on phone conversations
  • Keep PHI information out of sight of those who may not need to view it
  • Make sure casual visitors can’t easily access areas where PHI is stored
  • Never leave PHI on voicemails or with anyone answering other than the patient or their representative
  • Notify your supervisor immediately if you suspect a breach 
  • Follow all of the tips listed to the left
  • Provide HIPAA training resources for new hires
  • Conduct ongoing HIPAA training workshops with employees
  • Ensure a positive safety culture that encourages employees to follow compliance rules and speak up if they suspect a breach

For More Information on HIPAA Requirements, Sign Up for eSafety Online Training

If you’re looking for a great way to train your team on HIPAA compliance, check out eSafety’s library of online training courses. Our HIPAA Awareness course is informative, engaging, and designed to bring lasting results throughout your entire organization. Submit a request for a quote online or give us a call, and we’ll be happy to assist you.