Blog & Company News
Feb 5, 2014
Does Your Business Need to be HIPAA-Compliant?
This is the latest in a series exploring HIPAA and its impact on medical practice and compliance, patients’ rights, business and related topics. If you have a question about HIPAA and your business, please let us know.
The Health Insurance Portability and Accountability ACT (HIPAA) is designed to help protect American workers and their families with continued health insurance coverage and establish industry-wide guidelines to protect the confidential use of personal healthcare information
According to HIPAA, if you are belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you and your business are required to be HIPAA-compliant.
Let’s break this down.
“Covered entities” describes U.S. health plans, health care clearinghouses, and health care providers.
Examples of health plans include:
Health Care Clearinghouses
- Company health plans
- Health maintenance companies
- Employers and schools who handle PHI when they enroll employees and students in health plans
Health care clearinghouses are organizations that collect information from a healthcare entity, processes this data in a industry-standard format and delivers it to another entity. Examples of clearinghouses include:
Health Care Providers
- Billing services
- Community health management information system
“Health care providers” covers a broad range of services, including:
- Laboratory technicians
- Nursing homes
“Business associates” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI. Examples of business associates include:
Protected Health Information
- Data transmission providers
- Data processing firms
- Data storage or document shredding companies
- Medical equipment companies
- Consultants hired for audits, coding reviews, etc.
- Electronic health information exchanges
- Medical transcription services
- External auditors or accountants
With such a wide range of entities and business associates covered by HIPAA, it’s therefore critically important to know exactly what PHI entails. Any information included in a medical record that can identify an individual and was created and used while providing health care (such as diagnosis or treatment) falls under the category of protected health information.
PHI also includes:
If your medical or dental practice still relies on the use of paper records, don’t make the mistake of thinking you’re automatically exempt from regulation. (And why are you still using paper records anyway?) If and when you submit claims in hard copies to a billing company and that company in turn transmits those records electronically to payers, HIPAA rulings apply to you as well.
Learn more about individuals, organizations, and agencies that are considered “covered entities” or “business associates” and must be HIPAA-compliant.
- Any conversations a patient has with a physician or nurse about his or her treatment
- A patient’s billing information
- Medical information in the patient’s health insurance company’s database