Understanding HIPAA compliance can be challenging, especially since medical providers usually don’t have a legal background. If you’ve done a search to learn about HIPAA compliance, you’ve probably found a variety of resources. But the wording can be confusing and complicated — often leaving providers to wonder which regulations apply to their business and services.
So who does HIPAA apply to? There is a lot of confusion about this. Let’s look a little closer at HIPAA and who it applies to.
What is HIPAA?
HIPAA is the first national standard in the U.S. to protect sensitive patient health data. Congress enacted the Health Insurance Portability and Accountability Act (known as HIPAA) in 1996 to promote efficiency and standardization in the healthcare industry.
These nationally standardized protections require organizations to adhere to specific security rules when collecting, storing, and transmitting protected health information (PHI). Ultimately, HIPAA is all about making sure no one discloses PHI without a patient’s knowledge or consent.
HIPAA terms and phrases
If you visit the U.S. Department of Health and Human Services website, you might see that it says, “The HIPAA Rules apply to covered entities and business associates.” But that statement on its own may leave you wondering what those two categories are.
What is a covered entity?
How do you know if your business is a “covered entity”? According to the U.S. Department of Health & Human Services, a covered entity is
- A healthcare provider (including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies) or a health plan (including health insurance companies, HMOs, company health plans, and government programs that pay for health care, such as Medicare, Medicaid, and military and veterans health care programs) or a healthcare clearinghouse (including entities that process nonstandard health information they receive from another entity into a standard — i.e., standard electronic format or data content)
- That transmits any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
*Note that both 1 and 2 must be met to be considered a “covered entity.”
What is a business associate?
A business associate, generally speaking, is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Some of the types of business associates that may provide such services to a covered entity include medical transcriptionists, coding or billing companies, accounting firms, lawyers, and medical device manufacturers, among others.
When is a business associate agreement necessary?
Before a covered entity can disclose PHI to a business associate, it should enter into a business associate agreement (BAA) with the business associate. The BAA sets out the obligations of the business associate to the covered entity as the business associate provides the services to and handles PHI on behalf of the covered entity.
The importance of choosing HIPAA-compliant services
If you’re a covered entity, it’s essential to choose HIPAA-compliant services any time you’re using a software provider for PHI. Under HIPAA law, covered entities must identify their business associates, determine whether these providers comply with HIPAA, and execute a HIPAA-compliant business associate agreement with each provider.
HIPAA-compliant forms and tools
HIPAA compliance doesn’t have to be a complicated process. You simply need to choose providers that offer services complying with HIPAA rules and regulations.
At Jotform, we understand the importance of protecting sensitive health information. We offer HIPAA-compliant forms for everything from appointment scheduling to billing, helping healthcare providers stay organized and in compliance.
*The above info is offered for your convenience and not for legal advice. Please consult with your attorney(s) if you have questions about your particular legal situation.