Are You in Violation Without Knowing It?
Is your organization affected by HIPAA compliance rules? Are you worrying about HIPAA violations?
The answer should be fairly clear-cut…until you realize just what the law states, and how many organizations today come into contact with healthcare data of one sort or another. While the government is very clear about what counts as a covered entity, there are many cases where health and medical data are being handled by a business that might not even realize that it is being exposed to possible violations, and hence fines.
What the HIPAA Rules Identify as Covered Entities
HIPAA Rules are quite clear about what entities count as “covered entities” and so are subject to HIPAA compliance requirements. They include:
Healthcare Providers, such as
- Nursing Homes
Health Plans, including private insurance companies and HMOs, as well as government programs like Medicare and Medicaid.
Healthcare Clearinghouses, which process nonstandard health information they receive from another entity into a standard format (i.e., standard electronic format or data content), or vice versa.
Though not specifically mentioned, it is also clear that other entities would fall under these categories as well, including:
- Drug card sponsors
- Health plan billing services and providers
In other words, covered entities include any healthcare provider that furnishes, bills, or is paid for healthcare in the normal course of business.
Per the webpage on HIPAA from the Department of Health and Human Services (HHS):
“Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.”
Beyond Covered Entities: Business Associates
The list of covered entities does not exhaust the list of organizations open to HIPAA compliance rules, however. There are many businesses that support covered entities, and so might be in a position to view, handle, or transmit some of their data.
The HHS goes on to say:
“If a covered entity engages a business associate to help it carry out its healthcare activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”
In short, “Business Associates” must follow the same rules as covered entities, and can be just as liable for violations.
But which businesses can legitimately be considered “Business Associates” in this sense? Sure, a power company providing electricity to a hospital would not be affected, even though it does business with the hospital. Common sense tells us that a power company is not handling or transmitting protected health information (PHI), so it would not be possible to be in violation of HIPAA.
The difficulty comes when we realize just how broad the term “healthcare data” is. Such data goes well beyond official health records. It includes:
- Identifying information. This includes the names, addresses, Social Security numbers, email addresses, or personal website URLs of any patients. It can also include any geographic information that might be used to identify individuals.
- This not only includes medical imaging (such as MRIs or x-ray images), but even photos of a person’s face used for identification purposes.
- Biometric identifiers. Fingerprints, retinal scans, and voice data fall under healthcare data as well, especially since it can be easily tied to a patient’s identity.
- Appointments and calendars. Information on which healthcare providers a person is seeing, or when, also counts as healthcare data.
Business Activities that Could Trigger HIPAA Rules
The following list is not meant to be exhaustive. It is also not definitive—these activities might not be subject to HIPAA rules every time. Rather, the list is meant to be suggestive. We strongly recommend that businesses unsure of whether or not they need to be in compliance contact a compliance expert:
Marketing and content creation. Marketing companies (even freelancers) often create content for healthcare organizations, and might be inclined to use images, video, or even case studies collected during the course of the covered entity doing business. So yes, even marketing pieces need to be checked for HIPAA compliance.
Medical transcription. Medical transcription companies—companies in the business of transcribing voice-recorded notes and medical reports—are also handling PHI, especially when serving doctors and nurses keeping notes on patients.
Cloud-based storage for health records. An SaaS company that provides electronic health records for physicians, or any other kind of cloud storage for healthcare information (think data from studies or transcripts) is also subject to HIPAA rules.
Analytics. Companies that process medical data in the course of performing data analytics for covered entities need to prove that they can receive, secure, and transmit that data according to HIPAA rules.
Value-added banking activities (like benefits management). Banks and financial institutions have had a complicated history with HIPAA when it comes to clarifying rules. To be clear, HIPAA rules do not apply to banking and financial institutions with respect to the payment processing activities. This includes any activities surrounding authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for healthcare. However: Banks are held to HIPAA standards if they perform activities above and beyond those, and which might put them into contact with PHI. For example, if a bank offers invoicing services for healthcare clients, or lockbox services for same, those could trigger the need for HIPAA compliance. So could benefits management, data analysis, or healthcare lending.
Shredding and/or documentation storage. It might not be electronic data, but so what? Handling documents with PHI, even if the company is simply shredding them, opens them up to HIPAA regulations. Companies that specialize in shredding medical documents should take note.
Audits. Whether financial, legal, or otherwise, companies doing audits of covered entities will inevitably run across healthcare data. They, too, must comply with HIPAA rules.
Answering services. Are you an answering service that has doctors’ practices for clients? You are, in the normal course of business, getting access to identifying patients’ information and possibly calendar/appointment information. This information is protected as well.
Consulting. Consultants that advise covered entities, or perform any of the above functions for them, are just as susceptible to HIPAA regulations as a larger company or organization would be.
Needless to say, the range of business activities that could potentially be subject to HIPAA rules is much wider than the simple list of covered entities, or typical lists of Business Associates. If you have questions about whether your organization might be subject to HIPAA rules (and violations), especially when it comes to the handling of data in the cloud environment, please reach out. We here at Connectria have helped dozens of companies, from many different industries, navigate the complexities of HIPAA compliance.
To understand the full risk of HIPAA violations, see our article “You CAN’T Afford It – What HIPAA Violations Really Cost.”
For the basic on HIPAA and cloud compliance, start with “What Does it Mean for Cloud Services to be HIPAA Compliant?” and “The Best Ways to Find HIPAA-compliant Cloud Storage.”
For more on our own HIPAA compliance services, visit our HIPAA Compliance Page