HIPAA and its enormous amount of regulations does one thing very well: create confusion. One of the biggest areas of confusion is who the regulations actually apply to, who is bound by HIPAA regulations? In this training module, we will cover that so we can clear up any confusion you might have.
HIPAA creates four categories of entities that would fall under the law. These are:
Health Care Providers: Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies but only if these transmit any information in an electronic format such as billing.
Health Plans: Health insurance companies, HMOs, company health plans, government programs that pay for healthcare such as Medicare and Medicaid
Healthcare Clearinghouses: entities that process health information usually for billing purposes.
The above three are collectively known as Covered Entities.
Business Associates: third-party entities that work on behalf of a Covered Entity such as IT services, billing companies, collections, etc.
There are two important points to keep in mind. The entity must send electronic billing and not everyone who creates health information is covered by HIPAA. Let’s go through some examples.
Example 1:
Someone you know that doesn’t work for any healthcare-related entity finds out that you have a health condition. They then post this information to social media for the world to see. This person hasn’t violated your rights under HIPAA. They are not one of the 4 categories of HIPAA entities and the law doesn’t apply to them. There are likely other privacy-related laws they may have violated, but not HIPAA.
Example 2:
To enter into a restaurant, you are required to show proof of COVID-19 vaccination. This is not a violation of HIPAA laws. The restaurant isn’t one of the 4 categories that HIPAA governs so they are not violating your rights under HIPAA.
Example 3:Â
You visited an urgent care clinic that only accepts cash as payment (no insurance billing). They suffered a breach and all patient records were exposed. They have not violated the law under HIPAA as they are not covered. Since they only accept cash payments and do not perform insurance billing, HIPAA doesn’t apply to them.
Example 4:Â
Your clinic’s outside billing service was hacked and all patient data was stolen. This is a breach of HIPAA laws. The billing company is a Business Associate for the clinic and therefore is required to maintain patient privacy under the law. This would, in turn, make the practice responsible as it is the Covered Entity.
Example 5:
As part of taking a new job, you were required to take a drug test. The person in the clinic announces your results in a waiting area where other patients can clearly hear the results. This is not a violation of HIPAA laws as drug testing companies do not bill insurance companies and are not Covered Entities.
Example 6:
You wear a health fitness device (like a Fitbit) and the company was breached. All of your information, such as heart rate, weight, and other information was published online. This is not a violation of HIPAA as the company that makes and monitors these devices isn’t a Covered Entity.
I hope these examples clear up any confusion you might have had concerning who is and isn’t covered under HIPAA regulations. We tend to view HIPAA as this massive law that protects all health-related information all of the time but this just isn’t the case. It is narrowly focused on who it would apply to and what protections patients are given. The law was written at a time where we didn’t have many of the devices and technology we have today. Because of that, a lot of things that maybe should be protected under HIPAA simply aren’t.