Generally, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to covered entities, defined as health plans, healthcare clearinghouses, or healthcare providers that electronically transmit protected health information (PHI) in connection with certain transactions.
Health plans are individual and group plans that provide or pay the cost of medical care. Health plans generally include, among others: group health plans, a health insurance issuer, a health maintenance organization, Medicare, Medicaid, long-term care policies, employee welfare benefit plans, healthcare services for military and veterans, the Indian Health Service Program, the Federal Employees Health Benefits Program, approved State child health plan, the Medicare Advantage Program, a high risk pool established under state law and any other individual or group plan or combination thereof that provides or pays for the cost of medical care. Health plans do not include, among other exceptions, certain exempted benefits or government-funded programmes whose principal purpose is other than providing, or paying the cost of, healthcare.
Healthcare providers are defined broadly to include every healthcare provider, both individual and entity, regardless of size, that electronically transmits PHI in connection with certain transactions. Healthcare providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organisation that furnishes, bills or is paid for healthcare.
Healthcare clearinghouses are entities that process non-standard information they receive from another entity into a standard format or data content, or vice versa. Examples of healthcare clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
Using technology, such as email, in the regular course of business does not mean a healthcare provider is a covered entity for purposes of HIPAA; the transmission of PHI must be in connection with a standard transaction to carry out financial or administrative activities related to healthcare. The Privacy Rule covers a healthcare provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.
In most instances, healthcare clearinghouses will receive individually identifiable PHI only when they are providing these processing services to a health plan or healthcare provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the healthcare clearinghouses’ uses and disclosures of PHI. As the value of data continues to drive growth in the healthcare industry, companies looking to utilize PHI aggregation should take care to transfer, aggregate, share, and process this PHI in the context of the HIPAA Rules.
Matt DeNoncour is the owner of Magis Law Firm, a solo law firm based in Boston, MA, where he provides legal services to the healthcare, biotechnology, and business communities. You can reach Matt at magislawfirm.com, by phone at 857-242-6826 or by email at matt@magislawfirm.com. This post is not meant to be legal advice: learn more here.
