"I'm Not a Doctor." But Are You a HIPAA Business Associate? Why You Should Care About HIPAA
Who does HIPAA apply to? A common misconception is that HIPAA only applies to healthcare organizations and their administrators, like family practitioners, cardiologists, and hospitals. While it is a predominant concern for this sector and its related specialists, HIPAA coverage expands to many other industries — anywhere there is personal health information (PHI) collected, stored, or shared — think of personal injury law firms as an example. So, if you work or use services outside of the healthcare field, you should educate yourself on how HIPAA rules and non-compliance can affect you, and we have some tips for consideration.
Does HIPAA Only Apply to Healthcare Entities?
According to the HIPAA Journal, PHI consists of any information that is "considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses)."
PHI can consist of information like:
- Medical test results
- Diagnoses
- Prescription information
If a patient can be identified via the information available, then that information is covered under HIPAA.
To get more specific, the 2003 HIPAA Privacy Rule document mentions the concept of a HIPAA Covered Entity. These entities are healthcare organizations that transmit health information of any kind via digital, physical and even oral transmission. Covered entities could also consist of health insurance providers, or even employers that sponsor health insurance plans for their employees.
What is a HIPAA Business Associate Agreement?
The business associate definition by the Department of Health and Human Services (HHS) is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."
When a HIPAA covered entity is interested in outsourcing work to another company, such as a payment collection agency, they must enter into a Business Associate Agreement (BAA). This agreement will specify the responsibilities of each party as it relates to handling PHI.
In contrast to covered entities, business associates can include the following individuals or company types:
- Data analysts
- Billing or payment service providers (including collection services)
- Law firms
- Data storage providers
What is the Purpose of the Business Associate Agreement?
Business associates are not directly involved in providing care, they do however manage PHI as part of agreements they may have with a healthcare organization or directly with a patient. Business associates must adhere to the rigorous standards of HIPAA including maintaining data safety, and only using it for the purposes originally assigned. Like healthcare organizations, business associates must also provide patients with their PHI if requested. They must also notify the HHS should a breach occur. In some cases, business associates subcontract work. These subcontractors must follow the same rules that apply to a business associate, and they must have a HIPAA BAA in place as part of any agreement.
3 Non-Medical Entities That Should Consider HIPAA
When asking the question, "who must comply with HIPAA?", HIPAA compliance for non-medical related organizations is an important consideration. Although a particular organization may not directly deliver care, it may still handle PHI. This is mainly the case with business associates who provide third-party services to healthcare providers and patients. A few notable examples include:
- Law Firms: According to formstack, "HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates 'when the legal services provided involve disclosure of PHI from a covered entity' or from another business associate to the firm." As an example, in the case of personal injury law, firms may need to collect and share data on an individual's health condition(s) to analyze and present a case.
- Billing/Payment Services: Most covered entities, like hospitals or healthcare specialists, will need to rely on a third-party organization to collect payment. You may want to return to the discussion on "covered entity vs business associate" earlier in this post, however, payment collection agencies would be considered business associates. They can assist healthcare organizations in collecting credit card payments and other items like payment plans.
- Cloud Service Providers: Healthcare providers are embracing the cloud and moving away from clunky, costly, and unreliable physical infrastructure for data storage. With that said, cloud service providers can act as storage points for large amounts of PHI. Think of entire hospital systems storing almost all patient data in the cloud. As business associates, cloud service providers have the monumental task of ensuring PHI remains safe and secure on their servers.
Learn more about cloud uptake in healthcare: Advantages and Disadvantages of Cloud Computing in Healthcare
The Bottom Line: HIPAA Goes Beyond Healthcare
It makes plenty of sense that covered entities like hospitals and healthcare specialists need to abide by HIPAA requirements. Though there are many other organizations, who do work for covered entities or directly with patients, and must preserve the integrity of PHI — in the same way a healthcare organization would. Whether you are working for a covered entity, or a third-party organization doing work on their behalf, be sure to enter into a business associate agreement to ensure that everyone has an understanding of their role in protecting PHI.
Read more by downloading Giva's whitepaper "Why HIPAA Compliance Should Be Applied to Other Industries to Increase Security".