Varnum Viewpoints:

HIPAA applies outside of healthcare providers. If you offer employee health benefits, especially through a self-funded plan, HIPAA applies to your health plan.

You may be a covered entity or business associate. Health plans, providers, and vendors handling health data are subject to HIPAA, often to differing extents.

HIPAA has specific compliance duties. Requirements include privacy notices, policies, risk assessments, and business associate agreements.

The Health Insurance Portability and Accountability Act (HIPAA) applies far more often than many realize, including when a company outside of the healthcare sector provides certain types of health benefits to its own employees. While HIPAA compliance quickly gets complex, determining if it applies to your business does not need to be. This advisory includes helpful definitions of key terms, including Protected Health Information (PHI), the Privacy Rule, and the Security Rule.

What Is a HIPAA Covered Entity?

HIPAA applies only to covered entities, including health care providers and health plans, and their business associates. Many covered entities already know they are subject to HIPAA. This includes those in the healthcare sector, such as doctors, hospitals, pharmacies, and insurance companies, for whom HIPAA compliance should be an integral part of daily business.

Does My Employee Health Plan Make My Company a Covered Entity?

Employer-sponsored health plans are also covered entities. The design of that health plan will impact how HIPAA applies, but the Privacy Rule and the Security Rule make it clear: if employees receive health benefits, HIPAA will apply to the health plan, even if it does not apply to the company in its role as an employer generally. If an employer maintains a fully-insured plan and the insurer is handling most or all of the administration of the coverage, the employer may not receive much PHI, if any. However, as more plans move toward self-funding and self-administration, HIPAA will apply to more functions carried out by the employer.

Who Is a HIPAA Business Associate?

A business associate is any entity that creates, receives, or transmits PHI in relation to a covered entity. Business associates are subject to the same HIPAA compliance rules as covered entities, and the same penalties apply for violation of these rules. In addition, covered entities and their business associates must enter into “business associate agreements” which explicitly require the business associate to comply with HIPAA and may set forth other terms such as notification and indemnification provisions.

As with covered entities in the healthcare sector, most business associates will know that their work is subjecting their business to HIPAA. However, any business that provides products and services that are or could be used to provide healthcare should carefully assess whether and to what extent HIPAA applies to their business. For example, SAAS providers and app developers may have access to PHI, making them a business associate that must comply with HIPAA. Some covered entities will push their vendors to enter into business associate agreements, even if it does not directly apply.

What Is PHI?

Protected health information is any individually identifiable health information that is created, received, stored, or transmitted by a covered entity, an entity subject to HIPAA, such as a health care provider, insurance company, or employer health plan, or their business associates, those entities who access PHI on behalf of the covered entity.

What Is the HIPAA Privacy Rule?

The Privacy Rule is the part of HIPAA that protects PHI through limiting who can access it, how it is used, and providing individuals with rights relating to their PHI.

What Is the HIPAA Security Rule?

The Security Rule is the part of HIPAA that covers how electronic creation, storage, use, and disclosure of PHI must be done to ensure the privacy of PHI.

What Are My HIPAA Compliance Requirements?

When HIPAA applies, the entity is expected to comply with HIPAA’s broad range of requirements. Key compliance requirements include providing a notice of privacy practices, naming a compliance officer responsible for complying with HIPAA, establishing policies and procedures, conducting a risk assessment, and entering into necessary agreements, such as business associate agreements. See our detailed explanation, HIPAA and Employee Benefits: The Basics of Compliance.