|
|
| |
Introduction
and Key Concepts
|
 |
| |
Key
Concepts: Covered Entity
The HIPAA privacy regulations do not apply to
everyone. Only certain categories of individuals
and businesses are directly regulated by the privacy
rules. (Other individuals and businesses may become
subject to the regulations indirectly through
business associate agreements, which will be covered
later.) The regulations use the term "covered
entities" to refer to all of the entities to which
the rules apply directly. The three categories
of covered entities are:
|
|
|
|
|
|
| |
· Health
care providers: Any health care provider who
transmits any health information in electronic
form in connection with a "covered transaction"
is a covered entity. "Covered transactions" include
health care claims, encounter information and
referral authorizations, among others. Therefore,
a large majority of health care providers are
covered entities.
· Health plans: Covered entities include
any plan that pays the cost of medical care, except
for workers compensation plans and a few other
specifically excepted kinds of plans. Employer
group health plans, health insurance plans, HMOs,
Medicare and Medicaid are all covered entities.
· Health care clearinghouses: The privacy
regulations define a health care clearing house
as an entity that processes health information
received from standard format into a nonstandard
format. Billing services, repricing companies,
community health information systems and value-added
networks and switches are all covered entities.
Note that employer-sponsored health plans, including
self-insured plans are covered entities, but employers
themselves are not.
|
|
|
| |
Key
Concepts: Protected Health Information
The information that is protected by the privacy
regulations is referred to as "protected health
information," often abbreviated to "PHI." PHI
includes any information that is created or received
by a health care provider, health plan, employer,
or health care clearinghouse; and that relates
to a person's physical or mental health or condition;
or the provision of health care to a person; or
payment for the provision of health care to a
person; and that identifies or reasonably could
be used to identify the person.
Note that the definition of PHI depends not only
on what the information is, but also on who possesses
it. Health information is "protected" under the
privacy regulations only when it is in the possession
of a covered entity. The same information that
is PHI when created or received by a covered entity
is not PHI if it is collected by a non-covered
entity.
Covered entities are required to take steps to
protect PHI from unauthorized disclosure, intentional
or unintentional. For this reason, it is important
to understand just how broad the definition of
PHI is. Obviously, medical records and billing
records contain PHI and must be kept confidential.
But PHI is not only in patient charts, billing
systems and claims files, and protecting against
unauthorized disclosure of PHI requires much more
than just making sure that medical records are
kept in a locked room. PHI is on prescription
labels, in telephone logs, in customer complaint
letters, and on that Post-It note stuck on the
side of the computer monitor. When a nurse calls
out a patient's name in the waiting room of a
physician's office, he or she has just disclosed
PHI about that patient to everyone in the waiting
room. When a pharmacist tells a customer about
possible side effects of a drug, and the next
person in line overhears the conversation, PHI
has been disclosed. PHI is disclosed if a person
sees a package left on the next-door neighbor's
doorstep with a return address of "ABC Diabetic
Supplies."
But don't panic. A covered entity is not required
to control all disclosures of PHI. These examples
are just intended to illustrate how broad the
definition of "protected health information" is.
The steps a covered entity must take to protect
against unauthorized disclosure are covered later
in these materials.
|
|
|
| |
Key
Concepts: Business Associate
Business associate means a person or entity
who performs an activity on behalf of a covered
entity, or provides services to or for a covered
entity, involving the use or disclosure of protected
health information.
Accountants and attorneys, for example, are often
business associates of covered entities, because
covered entities disclose PHI to them to enable
them to perform services for the covered entities.
Employees of the covered entity are not considered
business associates of the covered entity.
A covered entity is required to have written contracts
with its business associates requiring the business
associates to safeguard PHI that is disclosed
to the business associate against unauthorized
use or disclosure, and to cooperate with the covered
entity in meeting the covered entity's responsibilities
under the privacy regulations.
A covered entity may be a business associate of
another covered entity. For example, a billing
service may be a covered entity because it may
fall within the definition of a health care clearinghouse.
However it may also be a business associate of
a health care provider, because the provider discloses
PHI to the billing company so that the billing
company can provide billing services for the provider.
Not all relationships between covered entities
and other entities involving disclosure of PHI
are business associate relationships. In order
for a business associate relationship to be created,
one entity must be providing services to, for
or on behalf of another entity. For example, when
one health care provider refers a patient to another
provider, the second provider performs services
for the patient, not for the first provider. Therefore,
no business associate contract is required.
|
|
|
| |
Note
on State Law
HIPAA is a federal law, and applies throughout
the United States. However, a special provision
of the law states that if a state law imposes
requirements that are more stringent - that is,
providing more privacy protection, or providing
an individual with greater rights regarding his
or her own information, or requiring more documentation
- than HIPAA or the privacy regulations, then
the state law applies. Therefore, the privacy
rules establish a "floor" level of privacy
protection, but particular state laws may impose
more stringent requirements.
|
|
|
|
|
