HIPAA is a complicated law with numerous provisions. HIPAA is the abbreviation of the 1996 Health Insurance Portability and Accountability Act, Public Law 104-191.1 HIPAA included provisions in the law that authorized the U.S. Department of Health & Human Services (HHS) to adopt national standards to protect the privacy of personal health information. HIPAA mandated that HHS take action that ensures privacy protection for individually identifiable health information.2
According to the official HHS website, HIPAA requirements include those found in Public Law 104-191, a final privacy rule adopted in December 2000, a final Security Rule adopted in February 2003, an Enforcement rule, and an Omnibus Rule.3 An unofficial version of all HIPAA regulations is found in a combined regulation text on the HHS website.4 This unofficial version of regulations is 115 pages long. You may read the full regulations for yourself if you want. However, the purpose of this article is to provide a snapshot into what HIPAA is and the basic requirements it imposes on businesses.
First, it is important to note, that HIPAA does not impose requirements on all businesses. Instead it only applies to the following entities: “(1) A health plan; (2) A health care clearinghouse; (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter; or (4) an individual or “business associate” that provides certain services to a covered entity.”5
Thus, your business is only regulated by HIPAA to the extent that your business falls into one of the four above listed categories. The first three are fairly self-explanatory. Savvy business owners likely understand if their business falls within those categories. The more difficult determination is if your business is a “business associate” of one of the first three types of businesses. Business Associate is further defined in § 160.103 to include Health information organizations, someone that offers personal health records, and a subcontractor that “creates, receives, maintains, or transmits protected health information on behalf of the business associate.”6 § 160.103(4) carves out exceptions from the definition of business associates. These exceptions include: health care providers to the extent that they are disclosed information regarding treatment of the individual, plan sponsors when they disclose to a group health plan, a government agency, and other limited circumstances.7
Hypothetically, if your business contracts with a health care provider to provide database storage, would this use subject you to HIPAA requirements? Most likely, yes. Providing database storage may be determined to be a business associate, as your role would be to receive or maintain protected health information on behalf of your company’s client. Also, you should be able to determine who your customers are to determine if they are health care providers or other covered entities. What if your company provides generally applicable services, such as email available to the public, yet you do not contract directly with a heath care provider? Then the business owner would not have a contract that authorizes the business to create, receive, maintain, or transmit protected health information. Thus, that company should not be subject to HIPAA regulation.
Why Should My Company Pay Attention to HIPAA Compliance?
HHS takes their obligations to enforce HIPAA regulations seriously as evident by the large amount of HIPAA fines and settlements that have been handed out in recent years.8 There were 10 reported fines and settlements in 2018. Notably, Anthem, Inc. agreed to a $16,000,000 settlement for numerous HIPAA violations in October 2018. Anthem’s hefty fine was due to the extreme scale of a its 2015 data breach which affected around 78 million people being stolen by hackers.9
In many areas of the law, it is wiser to plan ahead and spend money on compliance than stick your head in the sand and risk an extreme penalty if you are caught. If you are unsure whether your business may have HIPAA compliance issues, you should read more on the subject and consider consulting with an attorney or hiring your own HIPAA compliance expert.
For much more detailed HIPAA information, I recommend reading the HIPAA Journal’s Compliance Checklist.10
1 See https://www.hhs.gov/hipaa/for-professionals/index.html
2 See https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996
3 See https://www.hhs.gov/hipaa/for-professionals/index.html
5 C.F.R. Part 160.102.
6 C.F.R. § 160.103.
7 C.F.R. § 160.103.