If your organization operates in or adjacent to healthcare, there’s a good chance that HIPAA applies to you. And if it does, it’s in your best interest to ensure your compliance ASAP.
- Eligibility depends on what kinds of data you process
- There are three distinct kinds of HIPAA Covered Entities
- All Covered Entities have to follow specific HIPAA rules
- HITRUST CSF is a security framework designed to standardize HIPAA compliance
What Data Does HIPAA Exist to Protect?
The Health Insurance Portability and Availability Act (HIPAA) exists to safeguard protected health information (PHI). PHI comprises information about, containing, or related to patients’ medical history and conditions, healthcare treatment received, and any payments made or pending for that treatment. Specifically, documents that contain any of these factors, along with personally identifiable information (PII) such as patient names or addresses, are considered PHI.
The simplest way to tell if HIPAA applies to your organization is to determine whether you store, process, or otherwise come into contact with PHI. That means accounting for both physical documents and any electronic PHI (ePHI) anywhere in your systems. A PII scanner or similar tool for identifying sensitive documents can help you determine your HIPAA eligibility.
The bottom line: if your organization comes into contact with PHI, you are most likely a HIPAA Covered Entity and need to achieve HIPAA compliance—irrespective of your industry niche.
Who Counts as a HIPAA Covered Entity?
Organizations do not have to be directly involved in healthcare to be subject to HIPAA. The classic example of a Covered Entity would be a doctor’s office that regularly deals in PHI in all of its daily operations. But there are actually three primary categories of HIPAA Covered Entity:
- Healthcare Providers – These are individuals and organizations that provide treatment, products, or procedures. Examples include private doctors, their practices, and any employees therein; group care facilities, such as nursing homes; and pharmacies.
- Health Plans and Administrators – These are organizations involved in health insurance coverage and processing. Examples include insurance companies, health maintenance organizations (HMOs), and employer-sponsored health plans.
- Healthcare Clearinghouses – These are organizations involved in processing health information between nonstandard and standardized formats. Examples include billing and other service providers who transmit PHI between other Covered Entities.
If your organization falls into any of these categories, even tangentially, you are almost certainly a Covered Entity. Even if you aren’t one of these kinds of businesses, but you work closely with them, there’s a chance HIPAA protections apply to you as a Business Associate. Examples include accountants and attorneys who work closely with Covered Entities and come into contact with PHI. They must sign Business Associate contracts that stipulate their responsibilities with respect to PHI and how they are shared with the Covered Entity.
So, for all intents and purposes, a Business Associate can be a Covered Entity.
What Do Covered Entities Have to Do?
If your organization is a HIPAA Covered Entity or Business Associate, you’ll need to implement cybersecurity controls to ensure PHI is protected up to HIPAA standards. You’ll need to monitor any PHI you encounter and prevent any unauthorized accesses or uses—or risks thereof.
Namely, all Covered Entities under HIPAA are required to follow these prescriptive rules:
- Privacy Rule – Covered Entities must ensure that PHI is only used or disclosed to the subject of the data, or in ways requested by the subject or their representative. There are select Permitted Uses and Disclosures, such as uses in the public interest or for scientific research, but these must also be limited to the Minimum Necessary.
- Security Rule – The Security Rule requires Covered Entities to take proactive measures to monitor for, identify, prevent, and mitigate any reasonable threats to the security, integrity, and availability of PHI. This includes rigorous Risk Analysis and Management, along with the implementation of Administrative, Physical, and Technical Safeguards.
- Breach Notification Rule – If PHI is used or disclosed in a manner prohibited by the Privacy Rule, organizations must provide several forms of notification. Parties impacted by the breach must be notified, along with the Secretary of the HHS. And, in breaches impacting 500 or more people, media outlets must also be notified via press release.
It should be noted that any failure to uphold any part of the Privacy or Security Rule could constitute a breach and trigger notification requirements. Even if data is not actually breached, you should be ready to send out the notices immediately to cover any potential responsibilities.
Further, failure to follow any of these rules may constitute a HIPAA violation. This could trigger the HIPAA Enforcement Rule, which could in turn lead to severe monetary and other penalties.
Optimize Your HIPAA Compliance Today
To recap, Covered Entities under HIPAA are any organizations that come into contact with PHI. This includes the three formal categories of Covered Entities (healthcare providers, health plans, and healthcare clearinghouses), along with their Business Associates. All of these parties need to follow the Privacy, Security, and Breach Notification Rules to remain HIPAA compliant.
RSI Security has helped countless organizations achieve and maintain HIPAA and broader healthcare compliance. We understand that discipline creates freedom; installing robust protections from HIPAA and other frameworks like the HITRUST CSF allows you to operate more efficiently, minimizing the likelihood and potential impact of a cyberattack or data breach.
Is your organization a HIPAA Covered Entity? Contact us today to streamline your compliance!