Generally, when you hear about HIPAA the discussion is associated with a hospital or a medical group that had a breach or HIPAA violation. What most people don’t know is that HIPAA applies to organizations outside of hospitals and health networks. So who exactly needs to be compliant when it comes to HIPAA?
It can be somewhat vague when you start looking at HIPAA. The US Department of Human Health Services describes those who must be compliant are called “covered entities.” Let’s dig a little deeper and understand what types of organizations are considered to be a covered entity.
Health Plans – Anyone who deals with insurance or medical information for patients.
- Human resource employees/employers and schools who handle patient information when the employees are hired and students are enrolled.
Health Care Clearinghouses – These are the organizations that collect any patient information from healthcare entities.
- Billing/Collection Services
- Health Management Information Systems
Health Care Providers – These are the entities that come to mind when thinking about HIPAA compliance.
- Nursing Homes/Care Facilities
Business Associates – This is where most people wouldn’t assume they need to be HIPAA compliant, but if you’re involved in any of the following, you need to ensure you’re in compliance.
- Data Processors
- Medical Equipment Companies
- Medical Transcription Services
- External Accountants and Auditors
- Any third party organization dealing with PHI.
At the end of the day, anyone who accesses or deals with Protected Health Information should be complying with HIPAA regulation. PHI includes:
- Any conversation with medical professionals about a patient’s care or treatments
- Any patient billing information
- Any medical insurance information
If you have any questions about covered entities or whether you or your organization should be HIPAA compliant, please contact us! We can help you determine your needs and get started with compliance.