Who must be HIPAA compliant?

The HIPAA Rules apply to two groups: covered entities and business associates. A covered entity is a health plan, health care clearinghouse or health care provider who electronically transmit any health information. Examples of covered entities are:

• Doctors
• Dentists
• Pharmacies
• Health insurance companies
• Company health plans

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Examples of business associates (whose services involve access to PHI) are:

• CPA
• Attorney
• IT providers
• Billing and coding services
• Laboratories

For more detailed information on the definition of a covered entity and businesses associate visit The Department of Health and Human Services (HHS) website.

HIPAA Privacy Rule

The HIPAA Privacy Rule provides federal protections for personal health information and gives patients rights to their own protected health information (PHI). The Privacy Rule permits the disclosure of PHI needed for patient care and other important purposes. The Privacy Rule applies to all healthcare providers, including those who do not use an Electronic Health Record (EHR) system, and includes all mediums: electronic, paper, and oral.

Privacy Rule Basics:

• Spells out administrative responsibilities
• Discusses written agreements between covered entities and business associates
• Discusses the need for privacy policies and procedures
• Describes employer responsibilities to train workforce memebers and implement requirements regarding their use and disclosuer of PHI.