A common question we hear when we mention Avertium's compliance expertise is, "Does HIPAA Apply to Me?". Due to nuances in the requirements, it's a fair question.
In this post, we describe how your organization can determine whether or not you are required to adhere to the HIPAA regulations for privacy and security of protected health information (PHI).
The Health Insurance Portability and Accountability Act (HIPAA) is a United States regulation designed to protect the personal data collected as part of providing health care to individuals. HIPAA provides a set of minimum data security requirements for organizations that handle protected health information (PHI).
The HIPAA regulation applies to “covered entities” and “business associates” that handle “protected health information”. In this section, we’ll describe what HIPAA means by “covered entities” and “business associates”. In the next section, we’ll cover what is considered “protected health information” by the HIPAA regulations.
According to the HIPAA regulations, there are three types of covered entities: health plans, health care clearinghouses, and health care providers.
Health plans are organizations that provide medical care or pay the cost of providing medical care. This includes Health Maintenance Organizations (HMOs), Preferred Provider Organizations (PPOs), Medicare, Medicaid, company health plans, etc.
Health care clearinghouses include any organization that receives data from one healthcare entity in one format (either standard or non-standard), converts it to another format (non-standard or standard), and provides it to another entity. Examples include billing services, community health information systems, and any other organization that provides “value-added” services to one or both organizations.
Health care providers include anyone who provides health care services. This includes everything from preventative care to rehabilitation to pharmaceutical care. Examples include doctors, pharmacists, nursing homes and hospice workers, and lab technicians.
Related Reading: 10 Ways Using SIEM Technology Can Automate Fulfilling HIPAA Regulations
Business associates are any organization that has a vendor or subcontractor relationship with a covered entity and handles protected health information as part of that relationship. If an organization has access to health information in a digital or physical form or access to systems that generate or store this information, it may be considered a business associate under HIPAA.
Some types of PHI are obvious, like the contents of a person’s medical record. However, this is not the only information protected by HIPAA. PHI includes:
If your organization handles any of these types of information in any form, you may be subject to HIPAA regulations.
Identifying whether your organization is subject to HIPAA requirements is only the first step in the process of becoming compliant with the relevant requirements. Understanding the minimum requirements outlined by HIPAA and techniques for applying these requirements to an organization’s unique situation is necessary to ensure that an organization is not in violation of HIPAA regulations.
Avertium is a top HIPAA compliance company with a team of experts to help you determine whether your organization is subject to HIPAA and take the necessary steps to meet or exceed HIPAA’s minimum requirements for properly managing protected health information.
Contact us to learn more about our HIPAA compliance services and certification program.
With Avertium, you get more rigor, more relevance, and more responsiveness. Don’t just comply, download our guide to HIPAA compliance today and show no weakness.