HIPAA data governance extends beyond doctors and healthcare providers to most entities providing services in the healthcare area. Understanding the role and responsibilities of the service providers is essential. The American Medical Association (AMA) now requires non-HIPAA-covered entities to protect sensitive Patient Health Information (PHI) they collect.
In this third blog of our HIPAA blog series, we take a closer look at what non-covered entities must know regarding protecting PHI.
What is HIPAA?
HIPAA is an acronym for Health Insurance Portability and Accountability Act. Enacted in 1996, this federal law safeguards the privacy rights of individuals in the United States against the disclosure and individually identifiable PHI.
HIPAA protects PHI such as:
- Diagnosis and treatment information
- Prescription information
- Medical test results
- Billing information
With that out of the way, the next question becomes;
What is a covered and non-covered entity?
To understand HIPAA rules for covered and non-covered entities, it is crucial to first distinguish between the two.
Covered entities
These entities are subject to HIPAA privacy regulations. There are three categories of covered entities under HIPAA as outlined below:
Healthcare provides
These get paid to offer healthcare. They include pharmacies, doctors, hospitals, dentists, and urgent care clinics, to mention but a few.
Health plans
These pay the cost of medical care. They include government-funded health plans such as Medicaid and Medicare, employer-sponsored group health plans, HMOs, health insurance companies, and more.
Healthcare clearinghouses
These process data for transmission in a standard format between covered entities.
Clearinghouses act as the link between healthcare providers and health plans. However, due to their function, they rarely handle patients directly.
For instance, a clearinghouse can take info from a doctor and convert it into a coded format for insurance purposes.
Free HIPAA Employee Training & Quiz
Non-covered entities
Non-covered entities are not subject to HIPAA regulations. Examples include:
- Health social media apps.
- Wearables such as FitBit.
- Personal Health Record (PHR) vendors.
- Personal record storage such as exercise and calories intake log.
- Providers who don’t have any records in electronic forms, such as some counselors.
While not-covered entities aren’t subject to HIPAA regulations, the law requires that they ensure the products or services they use don’t compromise patient privacy.
Are business associates covered entities?
Business associates create, receive, maintain and transmit PHI on behalf of a covered entity or another association acting as a subcontractor. See 45 CFR § 160.103 for the definition of a business associate.
Associates often provide services that don’t involve patient interaction. However, an associate may act on behalf of an organization that gives Personal Health Record (PHR) to individuals on behalf of covered entities.
It is this interaction that makes business associates “covered entities”.
For example, suppose an associate uses a device or app to carry out a business function involving handling PHI for a covered entity. In that case, the associate becomes subject to HIPAA privacy and security rules regarding the app and device.
In a nutshell, business associates must protect PHI they handle when offering services to covered entities.
How HIPAA affects covered entities
Covered entities must implement appropriate structures and policies to ensure that they comply with the Security Rule requirements.
The law requires a covered entity’s written security policies and procedures for at least six years since their initial creation date.
In addition, the entity must review and update these policies periodically in response to the organization and environmental changes affecting the security of electronic Protected Health Information (ePHI).
It is worth noting that HIPAA compliance is crucial for covered entities.
The consequences of HIPAA violations can be dire and crippling. Non-compliance can attract penalties ranging from $100 to 50,000 per violation with a maximum penalty of up to $1.5 per year.
Also, violations can result in jail time for the culprits.
How can non-covered entities secure SaaS products to ensure HIPAA compliance?
Even as a non-covered entity, you must ensure 3rd party SaaS products you’re using abide by the Security Rule.
Typically, HIPAA-compliant SaaS products offer technical, administrative, and physical safeguards against unauthorized leaks.
Administrative safeguards
These ensure admins and developers with access to ePHI are responsible for the data. Further, this implies training employees about the legal and ethical requirements of their roles.
Physical safeguards
These prevent data breaches by limiting persons with access to facilities and devices that carry ePHI. They include workstation management and having access control policies.
Technical safeguards
These deal with software and technologies used to protect ePHI.
The National Institute of Standards and Technology requires ePHI encryption to ensure sensitive patient data is undecipherable. Technical safeguards include integrity, access, and audit controls.
Unfortunately, not all SaaS products used by non-covered entities meet these standards. Therefore, you must practice due diligence when to avoid HIPAA, not compliance, which takes us to our next topic.
How to send HIPAA compliant emails and document sharing
With the right solution, you can share sensitive information and remain HIPAA compliant at the same time.
Polymer’s data governance and data loss prevention (DLP) solution for 3rd party SaaS apps allow you to keep the patient’s data secure while meeting HIPAA compliance standards even if you’re a non-covered identity.
The solution installs in a few clicks and is customizable as per your organization’s requirements.
