In this third part of our five-part series on HIPAA, we will review the agencies overseeing HIPAA and also who is required to comply with this law.
Who governs HIPAA?
The Department of Health & Human Services (DHHS) has delegated to the Center for Medicare and Medicaid Services (CMS) the responsibility of overseeing the electronic transaction portion of HIPAA.
DHHS’s Office of Civil Rights (OCR) is responsible for the privacy rules.
Who must comply with HIPAA?
HIPAA affects health plans, clearinghouses and providers, which are referred to as Covered Entities. For our intentions here, let’s focus on providers. HIPAA defines a provider as anyone who provides medical or health services and any other person or organization who “furnishes, bills or is paid for health care services or supplies in the normal course of business.”
The list of entities that are considered providers includes: physicians and physician group practices (which also encompasses physician assistants and nurse practitioners), hospitals, skilled nursing facilities, diagnostic centers, outpatient physical or occupational therapy centers, clinical psychologists and social workers, registered dieticians, and certified nurse midwives. Keep in mind that there are other provider classifications, such as home health agencies and durable medical equipment companies. The list is very comprehensive.
However, HIPAA also applies to Business Associates. A Business Associate (BA) is a person or entity who performs a service or function on behalf of a covered entity and who uses protected health information in the process of performing its function.
Some good examples to clarify this concept include:
- A transcription service. A transcription service receives information about patients’ health in the course of performing a function or service (transcription) on behalf of the covered entity (the provider).
- A billing agency. Billing agencies receive health information about patients so they can perform a service (billing) on behalf of a covered entity (a provider).
Since BAs have access to protected health information, they must also uphold the standards of HIPAA and as a Covered Entity, the provider has the responsibility for contractually requiring this. BAs are expected to follow all of the HIPAA regulations; this is usually outlined in a separate Business Associate agreement between the Covered Entity and the BA or with language in the two parties’ agreement which includes the same stipulations.
While all states have healthcare privacy laws, HIPAA specifically applies to Covered Entities and their Business Associates as described above. This means that – for example – if a provider organization is still in the stone-age, with paper records and submitting paper claims, HIPAA compliance is not required. Bet that surprises you, right?? However, many of the HIPAA guidelines make great sense and increase a patient’s sense of privacy so even if a provider doesn’t meet the Covered Entity definition, these rules are still good to follow.
So what exactly is covered under HIPAA? Tune in on Thursday when we will explain the concept of Protected Health Information and what that means.