Who Must Comply with HIPAA?

A cloud storage provider hosts medical records. A billing company processes insurance claims. A janitorial service cleans exam rooms where paper charts sit on countertops. An attorney reviews malpractice cases involving patient files. Which of these organisations must comply with HIPAA?

The answer surprises most people: all of them.

The Three Categories of HIPAA-Covered Organisations

HIPAA obligations extend far beyond hospitals and doctor's offices. The law defines three categories of entities that must comply:

Covered Entities

A covered entity is any organisation that meets one of these criteria:

• Healthcare providers — Doctors, clinics, hospitals, dentists, pharmacies, nursing homes, and any provider that transmits health information electronically in connection with a HIPAA-standard transaction (such as electronic billing)
• Health plans — Health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and government-funded healthcare programmes
• Healthcare clearinghouses — Entities that process non-standard health information into standard formats, such as billing services that reformat healthcare claims

Business Associates

A business associate is any person or entity that performs functions on behalf of a covered entity that involve the use or disclosure of PHI. This is where the net widens dramatically. Common business associates include:

• IT service providers — Cloud hosting, software vendors, managed IT services
• Billing and coding companies
• Legal firms handling healthcare cases
• Accounting and auditing firms
• Data analytics and research organisations
• Shredding and document destruction companies
• Email and communication platforms that handle PHI
• EHR vendors and health IT consultants
• Physical storage companies that house medical records

Subcontractors

The Omnibus Rule of 2013 extended HIPAA obligations to subcontractors of business associates. If a business associate hires another company to handle PHI — for example, a cloud backup service — that subcontractor is also directly liable for HIPAA compliance.

The Business Associate Agreement

Every covered entity must have a written Business Associate Agreement (BAA) with each of its business associates before any PHI is shared. The BAA establishes:

• What PHI the business associate may access
• How it must be safeguarded
• How breaches must be reported
• What happens to PHI when the relationship ends

Operating without a BAA is itself a HIPAA violation.

Organisations That Are NOT Covered by HIPAA

Not every entity that handles health information is subject to HIPAA. Important exceptions include:

• Employers — Managing employee health benefits is generally not covered (though their group health plans are)
• Life insurance companies
• Schools and universities — Student health records are typically covered by FERPA, not HIPAA
• Law enforcement agencies
• Most mobile health apps — Unless they are acting on behalf of a covered entity
• State agencies administering programs like workers' compensation
• Direct-to-consumer genetic testing companies — Unless they provide services to a covered entity

When Does Compliance Begin?

HIPAA compliance is not optional or phased. If your organisation meets the definition of a covered entity or business associate, you must be compliant from day one. There is no grace period.

For new organisations, this means:

1. Conduct a risk assessment before handling any PHI
2. Implement administrative, physical, and technical safeguards
3. Draft policies and procedures
4. Execute BAAs with all vendors who will access PHI
5. Train all workforce members before they begin working with patient data

Common Misconceptions

"We are too small to be audited."

The HHS Office for Civil Rights investigates complaints regardless of organisation size. Small practices have received penalties in excess of $100,000.

"We do not store patient data electronically, so the Security Rule does not apply."

If you transmit any standard electronic transaction — such as submitting a claim electronically — you are a covered entity. The Privacy Rule applies to PHI in all forms, including paper.

"Our vendor handles compliance for us."

Business associates have direct liability under HIPAA. Covered entities cannot outsource their compliance obligations, and both parties can be penalised for violations.

The Bottom Line

HIPAA's reach is broader than most organisations realise. If your business touches patient health information in any way, the safest approach is to assume you have compliance obligations — and to verify that assumption with qualified legal counsel.

Further Reading

• complete guide to what HIPAA is
• business associate agreements
• HIPAA compliance checklist