Feb 5, 2014

Does Your Business Need to be HIPAA-Compliant?

This is the latest in a series exploring HIPAA and its impact on medical practice and compliance, patients’ rights, business and related topics. If you have a question about HIPAA and your business, please let us know. The Health Insurance Portability and Accountability ACT (HIPAA) is designed to help protect American workers and their families with continued health insurance coverage and establish industry-wide guidelines to protect the confidential use of personal healthcare information. According to HIPAA, if you are belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you and your business are required to be HIPAA-compliant. Let’s break this down. “Covered entities” describes U.S. health plans, health care clearinghouses, and health care providers. Health Plans Examples of health plans include:

HMOs
Company health plans
Health maintenance companies
Medicare
Medicaid
Employers and schools who handle PHI when they enroll employees and students in health plans

Health Care Clearinghouses Health care clearinghouses are organizations that collect information from a healthcare entity, processes this data in a industry-standard format and delivers it to another entity. Examples of clearinghouses include:

Billing services
Community health management information system

Health Care Providers “Health care providers” covers a broad range of services, including:

Physicians
Surgeons
Dentists
Podiatrists
Laboratory technicians
Optometrists
Hospitals
Clinics
Nursing homes
Pharmacies

Business Associates “Business associates” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI. Examples of business associates include:

Data transmission providers
Data processing firms
Data storage or document shredding companies
Medical equipment companies
Consultants hired for audits, coding reviews, etc.
Electronic health information exchanges
Medical transcription services
External auditors or accountants

Protected Health Information With such a wide range of entities and business associates covered by HIPAA, it’s therefore critically important to know exactly what PHI entails. Any information included in a medical record that can identify an individual and was created and used while providing health care (such as diagnosis or treatment) falls under the category of protected health information. PHI also includes:

Any conversations a patient has with a physician or nurse about his or her treatment
A patient’s billing information
Medical information in the patient’s health insurance company’s database

A Warning If your medical or dental practice still relies on the use of paper records, don’t make the mistake of thinking you’re automatically exempt from regulation. (And why are you still using paper records anyway?) If and when you submit claims in hard copies to a billing company and that company in turn transmits those records electronically to payers, HIPAA rulings apply to you as well. Learn more about individuals, organizations, and agencies that are considered “covered entities” or “business associates” and must be HIPAA-compliant.