HIPAA Privacy Rules for Covered Entities and Business Associates

The Health Insurance Portability and Accountability Act (HIPAA) is intended to protect the privacy of patients’ health information. But navigating HIPAA can be confusing because it is often difficult to figure out to whom the rules apply.

“Covered entities” must comply with HIPAA, and the rules can also extend to business associates of covered entities. But what is a covered entity under HIPAA?

The U.S. Department of Health and Human Services provides information to help identify covered entities.  They fall into three categories: health care providers, health plans and health care clearinghouses.  The health care provider category includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies, among others.  The health plan category includes health insurance companies, HMOs, company health plans, Medicare, Medicaid and military and veterans’ health care programs. Finally, the health care clearinghouse category includes companies that process health care information, converting non-standard data into standardized data, on behalf of other entities.

If a covered entity has a business associate that helps it carry out its health care function and the business associate comes into contact with private health information, the covered entity must have a written contract with the business associate. The contract must establish what services the business associate will be performing and that the associate has agreed to comply with HIPAA privacy rules.  Examples of business associates in this context are claims processors.

Experience is required to navigate the complexities of HIPAA. That is why it is important to consult experienced health care regulatory compliance attorneys who can ensure that your business practices don’t violate HIPAA.

Tagged with: , , , ,

Posted in: Regulation