The Health Insurance Portability and Accountability Act of 1996, commonly referred to in healthcare circles as the “HIPAA” laws, was implemented with the hope of simplifying the process of recording healthcare documents and providing an easier way for healthcare providers to “communicate” patients’ protected health information, or “PHI.” Efficiency and commonality being natural drawing points, HIPAA was a welcomed change from the outdated and stagnant medical records systems of the past. To most of those individuals for whom “HIPAA” is a routine part of the daily vernacular, the reference to the federal law is actually a call to one subsection in particular: Title II: Subtitle F, Administrative Simplification. This section is the heart of the HIPAA statute: it provides the standards that must be implemented when dealing with PHI, penalties that may be levied against violators of HIPAA requirements, and it provides healthcare providers and health plans alike with other procedures for proper day-to-day compliance. Within the HIPAA statute, Title II: Subtitle F, Administrative Simplification is further subdivided into three main components: the Privacy Rule, the Security Rule, and the Transaction Rule. These three rules, in conjunction with the general framework of HIPAA and more recently the HI-TECH Act, function to guide the healthcare services and payment professions.
With that general primer, here is a skeleton of HIPAA Title II: Subtitle F, Administrative Simplification and the key information that any healthcare professional should know so as to become and remain compliant with the federal laws on personal healthcare information.
General Tenets of the HIPAA Statute:
An entity that must comply with the HIPAA laws is called a Covered Entity (“CE”). To be a Covered Entity, one must: (1) transfer patient treatment information (2) electronically. Accordingly, healthcare providers who do business on paper only need not concern themselves with the HIPAA laws. However, even sending one patient’s information via an electronic medium will sufficiently characterize a healthcare provider as a HIPAA covered entity. There are three types of HIPAA Covered Entities: Healthcare Provider, Health Plan, and Healthcare Clearinghouse.
- Healthcare Providers are those entities that provide healthcare to patients, such as doctors, hospitals, and the like. To be a healthcare provider-type covered entity under HIPAA, one must: (1) provide healthcare and (2) send or transmit patient treatment information (PHI) electronically (3) in connection with a standard transaction.
- A Health Plan is an individual or group plan that provides or pays the cost of medical care. To qualify as a health plan-type covered entity under HIPAA, one must actually be providing payment for the costs of patients’ medical care.
- Finally, Healthcare Clearinghouses translate health information into an electronic language that makes communicating that information much more streamlined.
In the course of business, a Covered Entity may contract with a Business Associate (“BA”). A Business Associate is: A person (natural person or corporate entity) providing a service to or for a covered entity and who has access to PHI. A business associate relationship exists if the following key elements are present:
- Person: A person, either a natural person or a corporate entity, that is providing a service to a covered entity.
- Service to/for a covered entity: That service must be provided to or for a HIPAA covered entity.
- Access: The person must have access to PHI in the course of the service. There are two exceptions to the general definition of access under the guise of the BA relationship: (1) By-product exception: If access to PHI is a byproduct of the duty and could not be reasonably prevented, then the access element fails and there is no business associate relationship. (2) Workforce exception: If a CE supervises a third party’s work, and such work takes place on-site at the CE’s facility, then the access element fails and there is no business associate relationship.
- PHI: Actual protected health information of an individual must be involved.
If a Covered Entity does in fact work with an entity that is properly classified as a business associate, then under the HIPAA laws, the CE is required to enter into a Business Associate Agreement. A Business Associate Agreement (“BA Agreement”) is a contract that lists specific inclusions which force the Business Associate to abide by the rules governing protected health information. A Business Associate Agreement:
- Establishes the Business Associate’s permitted uses and disclosures of PHI (which generally cannot exceed the rights of the disclosing Covered Entity)
- Specifies that the BA will comply with the law
- Requires that the BA use safeguards to protect information
- Requires BA to report illegal disclosures
- Ensures that BA will account for all disclosures made
- Requires BA to respect the rights of patients to access and amend their own PHI
- Requires that BA will accept the possibility of auditing by the HHS
- Requires that BA will return or destroy all information at termination
More to come.
Michael C. Hughes
Legal Regulation 