The answer to the question who does HIPAA apply to is most often generalized as health plans, health care clearinghouses, and health care providers along with their Business Associates. Some sources also include contractors who provide services to Business Associates. However, this is not a complete answer.
The primary objective of HIPAA was to reform the health insurance industry and – in order to meet its objective – the Secretary for Health and Human Services developed standards for the electronic transmission of certain insurance-related financial and administrative transactions. All health plans and health care clearinghouses perform these so-called “covered transactions”, and all businesses in the health insurance industry are “HIPAA Covered Entities”.
While most health care providers also perform covered transactions, and are therefore Covered Entities by definition, not every organization that provides a health care service is automatically a HIPAA Covered Entity. For example, ambulance services that do not bill electronically are not Covered Entities – although they may be required to comply with the provisions of HIPAA if they provide a service for a Covered Entity as a Business Associate.
Therefore, although it is not incorrect to generalize that HIPAA applies to health plans, health care clearinghouses and healthcare providers, there may be times when the definition of a HIPAA Covered Entity requires a little more explanation – notwithstanding that, as well as there being scenarios in which a Covered Entity can be a Business Associate for another Covered Entity, other types of organizations can be classified as Partial Entities or Hybrid Entities.
How Does HIPAA Apply to Business Associates?
Strictly speaking, only the Security Rule provisions of HIPAA apply to Business Associates. However, according to HHS guidance, Covered Entities are required to obtain “satisfactory assurances that the Business Associate will use information [disclosed to the Business Associate] only for the purposes for which it was engaged by the Covered Entity, will safeguard the information from misuse, and will help the Covered Entity comply with some of the Covered Entity’s duties under the Privacy Rule.”
Also, in the HHS´ guidance to the Direct Liability of Business Associates, it is stated that the Office for Civil Rights has the authority to enforcement action against Business Associates for Privacy Rule violations such as impermissible uses and disclosures of PHI, failing to provide an accounting of disclosures, and taking retaliatory action against a whistle blower. Business Associates are also required to comply with certain provisions of the HIPAA Breach Notification Rule.
The same provisions also apply to contractors who perform services for – or provide services on behalf of – a Business Associate as third-party contractors are effectively Business Associates of Business Associates and subject to the same provisions of HIPAA. Therefore, the safest approach is to assume HIPAA applies to any organization that receives, creates, maintains, or discloses Protected Health Information on behalf of a Covered Entity or a Business Associate.
What are Partial Entities and Hybrid Entities?
Partial Entities and Hybrid Entities are organizations that perform covered transactions that are not part of their regular operations. For example, employers that administer their own self-insured health plans are subject to partial compliance even though the business operations and the health plan are separate entities. In these circumstances, the self-insured health plan can share PHI with the business, but only for the purposes of administering the health plan.
The term Hybrid Entities is most often used for postsecondary teaching institutions that provide healthcare facilities for non-students. The reason institutions may be considered Hybrid Entities is because medical services provided to students are part of their educational record under FERPA, but medical services provided to non-students are subject to HIPAA. Like Partial Entities, Hybrid Entities must keep HIPAA components of operations separate from the non-HIPAA components.
FERPA is not the only federal law that pre-empts HIPAA. There are occasions when disclosures of PHI are permitted by HIPAA but not allowed under federal laws such as the Privacy Act or the Substance Abuse Confidentiality Requirements. Conversely, there may be times when disclosures of PHI are prohibited under HIPAA but allowed under exceptions such as the Military Command Exception. In addition, state laws can complicate the answer to who does HIPAA apply to.
Who Does HIPAA Apply to when State Laws Preempt HIPAA?
As a rule, HIPAA preempts federal and state laws unless the federal or state law provides greater privacy for Protected Health Information or more patients´ rights. Most states have data privacy laws with provisions that preempt HIPAA, but usually only in specific circumstances – for example, in relation to obtaining patient consent, to disclosing test results, or for administering emergency care. In these circumstances, state law rather than HIPAA applies to Covered Entities.
A notable exception is organizations subject to the Texas Medical Records Privacy Act. Any individual or organization – regardless of status under HIPAA or location in the United States – is a Covered Entity under the Texas Medical Records Privacy Act if the PHI of a Texas citizen is collected, processed, maintained, or disclosed by the individual or organization – even if the Texas citizen was not in Texas at the time the PHI was collected, processed, maintained, or disclosed.
This means that if a Texan student receives medical attention at a teaching institution in New York, the teaching institution is a Covered Entity under Texan law even though it is exempt from being a Covered Entity under HIPAA because FERPA preempts HIPAA. As you can see, the answer to the question who does HIPAA apply to is not always as straightforward as it is presented to be, and organizations unsure whether they are covered by HIPAA should seek compliance advice.