Your Business Obligations Under HIPAA

In today’s world, privacy has become more and more of an important issue. Most of the recent discussion of privacy has related to the internet, as social media companies have come under increased scrutiny for the way that they handle user data. The European Union even passed the General Data Protection Regulation to protect individuals’ data on the internet.

That said, this is just one angle of individual privacy. As a manager of an organization, one of your tasks is ensuring that your customers’ and employees’ data is sufficiently protected from others. While there are many rules and regulations that govern privacy, one that may relevant to your organization is the Health Insurance Portability and Accountability Act (“HIPAA”).

HIPAA is complicated. However, it is important to understand whether HIPAA applies to your organization, and if so, what steps you must take to comply.

The Basics

Let’s start with the basics. HIPAA is federal legislation that regulates the privacy and security of certain health information. As part of HIPAA, the U.S. Department of Health and Human Services (“HSS”) implemented the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), which establishes national standards for the protection of certain health information. The Privacy Rule was created to assure that individuals’ health records are as private as possible while providing enough information to healthcare organizations to provide high-quality health care.

As for the information that is protected, the Privacy Rule protects “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business, in any form or media, whether electronic, paper, or oral.” Further, HSS says that “individually identifiable health information” is information (including demographic data) related to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.

Importantly, the HIPAA rules apply to covered entities and business associates. Covered entities are healthcare providers, health plans, and healthcare clearinghouses. If your business is not in the healthcare industry, you may still need to comply with HIPAA if you are deemed a business associate. A business associate, according to HHS, is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Some examples of business associates include third-party administrators that assist a health plan with claims processing, an accounting firm that accesses protected health information when providing accounting services to a healthcare provider, or a consultant that performs utilization reviews for a hospital.

Ultimately, HHS provides some comprehensive guidance on the privacy guidelines in HIPAA, which you can find here.

What This Means For You

So what does this mean for you as a manager? There are several steps you should take to ensure that you are complying with HIPAA.

First, determine whether your organization is a covered entity or business associate. Unless your organization specifically works in the healthcare industry, you will most likely analyze whether your organization is considered a business associate. While you will likely want to speak with counsel to get a final answer, you can start your research by clicking here. 

If your organization is a covered entity or business associate, you must then ensure that you are not sharing “individually identifiable health information.” This is true regardless of the form of the health information. If you are a covered entity, you must obtain satisfactory assurances from a business associate that it will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. Often this assurance is in the form of a contract.

Finally, ensure that all relevant employees are aware of their obligations under HIPAA. If certain employees are handling individually identifiable health information, they must know what they can and cannot do with that information. One of the best ways to avoid mistakes is to institute mandatory HIPAA training for employees. In this training, compliance professionals or attorneys can speak about what HIPAA is, how employees can comply with HIPAA, and what they should do if they suspect a HIPAA violation.

Top of the Mind

Compliance may not be the most exciting thing to think about, but it is extremely critical for the long-term health of your organization. Therefore, understanding what HIPAA is, whether it applies, and how you can safeguard individually identifiable health information are things that your employees should understand—preferably as soon as possible. All necessary steps should be taken to avoid a HIPAA violation. By doing this, your future self is already thanking you.