J. J. Keller® Compliance Network Logo
Start Experiencing Compliance Network for Free!
Update to Professional Trial!

Be Part of the Ultimate Safety & Compliance Community

Trending news, knowledge-building content, and more – all personalized to you!

Already have an account?
FREE TRIAL UPGRADE!
Thank you for investing in EnvironmentalHazmat related content. Click 'UPGRADE' to continue.
CANCEL
YOU'RE ALL SET!
Enjoy your limited-time access to the Compliance Network!
A confirmation welcome email has been sent to your email address from ComplianceNetwork@t.jjkellercompliancenetwork.com. Please check your spam/junk folder if you can't find it in your inbox.
YOU'RE ALL SET!
Thank you for your interest in EnvironmentalHazmat related content.
WHOOPS!
You've reached your limit of free access, if you'd like more info, please contact us at 800-327-6868.
HIPAA privacy and security
  • Health care plans (including employer group plans), health care clearinghouses, and medical care providers (collectively referred to as “covered entities”) must protect the privacy and security of an individual’s PHI.
  • If a “covered entity” engages a “business associate” to help carry out its health care activities and functions, the covered entity must have a written contract with the business associate or other arrangement that sets forth what the business associate has been engaged to do and requires the business associate to comply with the HIPPA requirements to protect the privacy and security of PHI.

HIPAA has privacy and security regulations that have an impact on employers’ health care plans. Plans (or those responsible for them — but not the sponsor/employer) must protect the privacy of protected health information (PHI). The privacy regulations also give individuals the right to access and amend their PHI, and to request an accounting of the uses and disclosures of their PHI.

Who is covered by the privacy and security provisions?

HIPAA’s privacy and security rules affect most “covered entities”and their “business associates.”

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) medical care providers who electronically transmit any PHI in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards. Covered entities include:

  • Health plans — This includes health insurance companies, health maintenance organizations (HMOs), company/health plans, and government programs that pay for health care, such as traditional fee-for-service Medicare (Parts A and B), Medicare Advantage (Part C), Medicare Prescription Drug Plans (Part D), Medicaid, and military and veteran health care programs.
  • Health care clearinghouses — This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
  • Medical care providers — This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, but only if they transmit PHI in an electronic form in connection with a transaction for which HHS has adopted a standard.

If a covered entity engages a “business associate” to help it carry out its health care activities and functions, the covered entity must have a written contract with the business associate or other arrangement that sets forth what the business associate has been engaged to do and requires the business associate to comply with the HIPPA requirements to protect the privacy and security of PHI. Like the covered entities, these business associates are directly liable for compliance with certain provisions of the HIPAA privacy and security rules.

Definitions

For definitions of “covered entity,” “business associate,” and “protected health information,” see the HHS regulations at 45 CFR 160.103.

Exceptions to HIPPA privacy and security rules

There are exceptions — a group health plan with fewer than 50 participants that is administered solely by an employer that established and maintains the plan is not a covered entity and, therefore, not subject to the administrative simplification requirements of the HIPAA privacy and security rules. Certain types of insurance which are not health plans are also exempt, including workers’ compensation, life insurance, car insurance, and property insurance.