HIPAA protects patient privacy, but doctors aren’t the only covered entities who handle sensitive information like medical records. As such, you may be wondering whether your institution must abide by the HIPAA Privacy Rule.
So who does the HIPAA Privacy Rule apply to?
Answer: The HIPAA Privacy Rule applies to all covered entities, including health care providers, health plans, health care clearing houses and hybrid entities.
- Health care providers: An individual or group that provides medical or health services and furnishes, bills or is paid for health care as a normal part of business operations. Examples: General practitioners, podiatrists, optometrists, nurse-midwives, clinical social workers, psychologists, dentists, chiropractors and pharmacists.
- Health plans: An individual or group plan that provides medical care or pays for the cost of it. This covered entity may also be a combination of individual and group plans. Examples: Health insurance companies, Medicaid, Medicare (parts A and B), military or veteran health care programs, company health plans and Health Maintenance Organization plans.
- Health care clearinghouses: Entities involved in the processing of nonstandard health information that they received from another entity into standard data or electronic format are considered health care clearinghouses, according to the U.S. Department of Health and Human Services. Health care clearinghouses may also receive standard health information and process it into a nonstandard format.
Examples: Community health management information systems, billing services, repricing companies and value-added networks.
- Hybrid entities: A single legal entity that performs both functions covered under HIPAA standards as well as ones that are not covered as part of normal business operations is a hybrid entity, according to the National Institutes of Health. Organizations can elect to become hybrid entities to avoid global application of the Privacy Rule. Examples: A university with an academic medical center hospital, insurance carriers that have lines of business both in and outside of the health care industry and corporations outside the health care industry that operate on-site at health care provider organization locations.
Penalties related to noncompliance
It is vital for organizations to understand whether they are covered entities, as this knowledge is the first step in building internal policies and procedures to safeguard protected health information. If a covered entity unknowingly violated HIPAA, it may be subject to civil penalties with a minimum of $100 per violation. However, with information on covered entity definitions so readily available, any violation may constitute willful neglect, which would result in a minimum fine of $10,000 per violation even if the covered entity corrects the situation.