Part 1: Learning About HIPAA (FAQ 9 of 65)
9.Which Health Care Entities Must Comply With HIPAA?
HIPAA doesn't apply to every health record keeper or to every health record. Only covered entities must comply with HIPAA. Get used to the term covered entity because it comes up a lot. HIPAA recognizes and regulates three types of covered entities.
If your medical information is maintained by or for a covered entity, it is usually protected by HIPAA. If your medical information is not maintained by or for a covered entity, it is usually not protected by HIPAA. The covered entity concept is complicated, and we will explain business associates and hybrid entities later in this FAQ.
Covered entities under HIPAA are:
HEALTH CARE CLEARINGHOUSES
Health care clearinghouses transmit information (typically claim and billing information) between other players in the health care system. For example, a hospital may send the bill for your treatment to a health care clearinghouse that will reformat and submit the information to your insurance company. Clearinghouses are of no interest to the average patient because their function is usually invisible. Patients rarely, if ever, come into contact with them. But clearinghouses have the same obligations as other covered entities, and that is important if you do have an issue with a clearinghouse. Otherwise, don't worry about clearinghouses. We won't mention them again.
Health plans are covered entities. Health insurers, health maintenance organizations (HMOs), and Medicare are examples of health plans subject to HIPAA.
HEALTH CARE PROVIDERS
Health care providers are covered entities, at least most are. Generally, a health care provider is a doctor, hospital, dentist, podiatrist, pharmacist, laboratory, optometrist, and just about anyone else licensed to provide health care. The formal legal definition of health care provider is so complex that it makes lawyers wince.
It is important to understand that not all providers are subject to HIPAA. It generally depends on whether a provider bills (directly or indirectly) for services electronically. The reason for this odd, even silly, standard has to do with the structure of the health care system and the Department of Health and Human Service's authority to regulate. Unless you are a policy wonk, you probably don't want to know more.
SCHOOL HEALTH RECORDS
Most school health records are not subject to HIPAA. Instead, schools records (private schools are a major exception) are usually covered by another federal privacy law, the Family Educational Rights and Privacy Act (FERPA). The federal Department of Education administers FERPA. A school nurse is likely to be subject only to FERPA. A university hospital that runs a student clinic on behalf of the university is also subject to FERPA. However, other university hospital records about students could be subject to HIPAA, depending on the circumstances. The relationship between HIPAA and FERPA is very complicated. For more, see www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
Which law is better for privacy? Privacy rights under FERPA can be better in some ways than under HIPAA and worse in other ways.
OTHER RECORD HOLDERS
Who else has health records but isn't subject to HIPAA? Many organizations have health information about you are not subject to HIPAA. The list of unregulated health record keepers is shockingly long. These include gyms, health websites not offered by covered entities, Internet search engines, life and casualty insurers, Medical Information Bureau, employers (but this one is complicated), worker's compensation insurers, banks, credit bureaus, credit card companies. many health researchers, National Institutes of Health, cosmetic medicine services, transit companies, hunting and fishing license agencies, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners, disease advocacy groups, marketers of non-prescription health products and foods, and some urgent care facilities. Providers of Personal Health Records, such as Google and Microsoft, have health records but are not covered entities. However, PHR maintained by your health care provider or insurer may be covered by HIPAA.
A health record covered by HIPAA can lose its privacy protection if transferred to a third person who is not a HIPAA covered entity. This is a very important aspect of HIPAA. Some would call it a loophole. We offer four examples of how you may see it in daily life. However, each of our examples has a weasel word (“probably”) because the rule is complicated. If we stopped to explain this kind of thing further, this document would quadruple in size.
We could list additional examples, but we offer a rule of thumb instead.
If a covered entity hires another company to perform a function that requires access to health information, that other company may be a business associate of the covered entity. A business associate of a covered entity is technically not subject to HIPAA. However, the covered entity must have a contract with each business associate that requires the business associate to comply with all relevant HIPAA provisions. The basic idea is that a covered entity cannot avoid the privacy rule by hiring someone else to process health records. The rules defining business associates are complicated and not that important from a patient perspective. Remember that even if a business associate holds your record, the covered entity that hired the business associate is still responsible to see that the record receives proper protections.
If you share health information with your family, a neighbor, or co-worker, the information that you share is not protected under HIPAA in the hands of the recipient. If you share your health information with a website that isn't a covered entity under HIPAA, then the information you disclosed is not protected under HIPAA in the hands of the website. This is a complex area that has created a lot of confusion among some consumers. Web sites that are medical web sites may very well not be covered under HIPAA, even if they say they are “HIPAA-compliant.”
See Rule of Thumb below, HIPAA Compliant, or HIPAA Covered?