HIPAA Compliance Rules For The Covered Entities and Business Associates
HIPAA has lots of elements and requirements that make a general set of rules called HIPAA Compliance. Let’s discuss, what is HIPAA Compliance and to whom it may refer.
This type of compliance means fulfilling the requirements and guidelines of the Health Insurance Portability and Accountability Act of 1996 and any related legislation. HIPAA rules may applicable to different types of processes in health care industry, including exchange of electronic information. That is why there is a separate section that connects HIPAA requirements to Electronic Data Interchange.
HIPAA requirements are applicable to every type of Covered Entity or Business Associate if this entity or associate creates, accesses, processes, or stores PHI (Protected Health Information).
A Covered Entity may be a health care provider, a health plan, or a healthcare clearing house. A Covered Entity creates, maintains or transmits Protected Health Information. There are some exceptional case. For example, a health care provider is employed by a hospital. In this case, it is not a Covered Entity. The hospital is the Covered Entity that is responsible for implementing HIPAA-compliant policies.
Are employers Covered Entities? Despite maintaining health care information about their employees, generally they are not. If they provide self-insured health cover or benefits, they may be considered “hybrid entities” and should adhere to HIPAA compliance rules.
A Business Associate is a business (or a person) that provides a service and has access to PHI. In this case, PHI is maintained by the Covered Entity. Examples: accountants, lawyers, cloud storage services, billing companies, contractors etc. Before accessing to PHI, the Business Associate must sign a Business Associate Agreement with the Covered Entity. After that, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.
Learn more about HIPAA application and implementation together with EDI