Who Does HIPAA Apply To?
If you handle protected health information in any capacity, you need to be aware of HIPAA regulations since failure to comply can lead to federal investigations or fines. Follow this decision tree to assess whether you need to become HIPAA compliant or not.
Who Needs HIPAA Compliance?
Step 1: Determine if you are a Covered Entity.
A Covered Entity is a healthcare provider, health plan, or a healthcare clearinghouse that handles medical information which can identify an individual, called protected health information (PHI), as defined under HIPAA law (§160.103). Examples include hospitals, pharmacies, digital clinics, doctors' offices, health insurance companies, and medical billing services.
Are you a healthcare provider, health plan, or healthcare clearinghouse?
- If Yes: You need to be HIPAA compliant.
- If No: Proceed to Step 2.
Step 2: Determine if you are a Business Associate.
A Business Associate is a vendor or subcontractor who handles PHI on behalf of a Covered Entity or on behalf of another Business Associate, as defined under HIPAA law (§160.103). Examples of Business Associates include AI medical scribes, cloud service providers, data processing companies for clinical trials, AI phone call agents, and electronic health record system providers.
Do you handle PHI on behalf of Covered Entities or another Business Associate?
- If Yes: Proceed to Step 3.
- If No: You are exempt from HIPAA.
Step 3: Determine if you handle PHI.
If you handle PHI that can identify a patient, you need to become HIPAA compliant. However, if the PHI does not contain any of the 18 identifiers below, which are defined by HIPAA’s Safe Harbor provision (§164.502(d), §164.514(a)-(b)), and the information still cannot be used to trace back to the individual it belongs to, then you are exempt from HIPAA regulations.
18 identifiers defined by the Safe Harbor provision:
- Names
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- URLs
- SSNs
- IP addresses
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code
- Certificate/license numbers
Do you collect, store, or transmit PHI that isn’t de-identified according to the Safe Harbor provision?
- If Yes: You need to be HIPAA compliant.
- If No: You are exempt from HIPAA.
Which of the following scenarios requires HIPAA compliance?
AI Phone Calling Agents
Yes, you need to be HIPAA compliant. An AI phone calling service that assists healthcare providers in scheduling appointments, providing patient reminders, and communicating health-related information would need to become HIPAA compliant because it handles PHI during these phone calls and is used at hospitals and clinics (Covered Entities).
AI Medical Scribe
Yes, you need to be HIPAA compliant. An AI medical scribe that assists healthcare professionals in transcribing and documenting patient visits should be HIPAA compliant as it processes PHI to generate medical notes and is used by providers, clinicians, and hospital workers (Covered Entities).
Therapy Practice
You might need to be HIPAA compliant. Because many therapists do not accept insurance payments or conduct certain forms of electronic transactions, they might not be Covered Entities and hence might not be subject to HIPAA regulations. However, those that do accept insurance need to comply with HIPAA. Additionally, some therapists still choose to adopt HIPAA compliant practices because of the sensitive nature of information discussed during therapy sessions.
Smart Watch
No, you don’t need to be HIPAA compliant. A fitness app or wearable that tracks workouts, dietary habits, or overall health metrics (such as Fitbit or Apple Watch) does not need to be HIPAA compliant. The data captured and analyzed by these apps, including steps, calories burned, or sleep patterns, falls outside the jurisdiction of HIPAA protections, as these apps are typically consumer-facing and are not run by healthcare providers or clinics (Covered Entities).
Conclusion
Prioritizing HIPAA compliance is vital in the healthcare industry to uphold data security standards and maintain trust with clients. HIPAA regulations apply to (1) Covered Entities, which are healthcare providers, plans, and clearinghouses, and (2) Business Associates, which process PHI on behalf of Covered Entities or other Business Associates.
Jesus Jimenez is the co-founder and partner at Insight Assurance. Insight Assurance offers compliance audits to ensure that organizations meet all HIPAA requirements. Insight Assurance’s team of experts conducts thorough assessments, offers documentation assistance, and provides ongoing support throughout the auditing process. Delve is proud to be partnered with Insight Assurance to help companies navigate HIPAA compliance with confidence.