The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal regulation to protect patient health information (PHI) from the public at large. As a federal law and rule, HIPAA provides guidance on exactly who is covered underneath this rule, what they must do to be in compliance, and the consequences if they are not in compliance.
Everyone should understand that HIPAA compliance is not an option. It is mandatory. However, the word compliance can be very tricky, especially for small businesses. It is very important that covered entities (i.e. medical/dental practices, financial institutions) work with attorneys and third-party businesses who understand the complexities of HIPAA, and who can ensure that covered entities are in compliance.
Third-parties that work with covered entities also fall under the guidance of HIPAA and are referred to as Business Associates of the covered entity. Business Associates must be in compliance under HIPAA as well and a separate document is required for everyone’s protection.
A business associate is a business or an individual who works with a covered entity that provides services that may come into contact with PHI. Some common examples are the following:
- Medical billing firm;
- Marketing or advertising firm;
- Accountants and bookkeepers; or
- Anyone who will be working with a covered entity who will have access to PHI.
For any business who is considered a business associate of a covered entity, they must have a Business Associate Agreement (BAA) between them and the covered entity to protect the PHI and to be in compliance with HIPAA. The overall reason is that there could be a data breach during the performance of the services of the third-party business and the BAA will provide information on who is responsible, what steps are required to protect the information and how to report the breach, if necessary, and other important information that will provide guidance to the parties of the BAA.
The easiest way to explain this is to provide a real-life example: A medical practice was utilizing the services of an IT company, who under HIPAA, would be a business associate of the practice. The business associate then experienced a breach of information, separate and apart from their contract with the practice and as a result, PHI that was in their possession was released to the public; a HIPAA violation. However, the practice did not maintain a BAA between them and the IT company. As a result, and because the PHI of their patients were being utilized by the IT company and were part of the breach, the practice was fined over $100,000 for not being in compliance with HIPAA. It should also be noted that the IT company was fined as well for non-compliance.
Data breaches and the fines that are attributed to them are constantly increasing in number and cost. To date, many of these fines are hundreds of thousands of dollars or more, depending upon the circumstances. If you are a small- or medium-sized business, and you are assessed a fine due to a data breach or not following the rules and regulations of HIPAA can potentially cause the practice to shut its doors. This is why it is important for covered entities and business associates to understand the requirements of HIPAA and be in compliance with them.
HHS, the Department of Health and Human Services Office for Civil Rights, controls HIPAA and is consistently expanding their division, their enforcement team, and working to ensure that those who are considered covered entities are within the rules and regulations of HIPAA.
HIPAA is an important federal regulation. Working with individuals and businesses who understand its importance and are in compliance with its rules and regulations will assist in keeping the covered entity in compliance as well. As HIPAA changes, all those who fall under the parameters of HIPAA must be aware of the changes and adapt their practice and business accordingly in order to maintain compliance.
If you have any questions on whether you are a covered entity or business associate or require additional information about HIPAA, please reach out to your attorney or visit https://www.hhs.gov/hipaa/index.html.