Who does HIPAA apply to?

It may seem obvious who HIPAA applies to – anyone with access to health information – but it is not as simple as one might think. The application of HIPAA is not discussed extensively in the act itself, so there can often be confusion as to who exactly must be HIPAA compliant.  

HIPAA, or the Health Insurance Portability and Accountability Act, was enacted in 1996 to reform the health insurance industry. It regulates the movement of insurance plans between employers (“portability”) and extends coverage to those with some pre-existing conditions. Therefore, most health insurance providers or employers that sponsor or co-sponsor insurance plans for their employees must be HIPAA compliant. 

HIPAA has four titles which cover a range of topics, but most will associate HIPAA with data privacy and accessibility. The section relating to protected health information (PHI), discussed below, in theory applies to everyone who uses healthcare facilities, as it grants them the right to privacy and gives them power over who can access their health information. 

The beginning of the Administrative Simplification Provisions of HIPAA Title II, Subtitle F, reads as follows: 

“It is the purpose of this subtitle to improve the Medicare program, the Medicaid program, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”.

The language here is vague, and some believe that it implies that HIPAA only applies to those involved in electronic health transactions, though any of the improvements would apply to healthcare providers, healthcare clearinghouses and providers of health plans. Towards the end of the Administrative Simplification Provisions, the section refers to “standards with respect to the privacy of individually identifiable health information”, finally implying that all data considered to be PHI – irrespective of its form – is covered by HIPAA.  

Introduced in 2003, HIPAA’s Privacy Rule made reference to “covered entities” (CEs), detailing the requirement that they were HIPAA compliant without clearly stating what they were. It included health plans, healthcare clearinghouses and healthcare providers “who electronically transmit health information in connection with certain transactions” as those who were considered CE, but did not mention information that was conveyed or stored by other means. This was at odds with the Department for Health and Human Services’ (HSS) own definition of PHI. It is now accepted that the Privacy Rule applies to all identifiable health information, irrespective of its form. 

HIPAA also applies to business associates (BAs), any entity that functions on behalf of a CE and may come into contact with PHI. BAs may be involved in data analysis, processing insurance claims, quality assurance or data storage and management, amongst other things. 

 The partnership requires both parties to sign a business associate agreement (BAA; see 45 CFR 164.504(e)). This contract details how BAs are expected to be HIPAA compliant and how they will safeguard the confidentiality and integrity of the PHI. The BAA also stipulates who will have access to the PHI and how exactly it will be used; BAs cannot use the data for any purpose not covered by the contract. BAs must also be prepared to hand over any PHI to the individual it relates to if they request it.  However, CEs are ultimately responsible for ensuring HIPAA compliance.

All subcontracts employed by BAs that may come into contact with PHI are also required to be HIPAA compliant. A further BAA is therefore required between a BA and its contractor, which acts as “satisfactory assurance” that the contractor is aware of its duties under HIPAA. 

Healthcare data is often used in research settings, but are researchers required to be HIPAA compliant? If patients have authorized the use of their data for research purposes, CEs may disclose the data to researchers without the need of a BAA. However, the CEs must enter a data use agreement with the researchers that will ensure that researchers safeguard data in a HIPAA-compliant manner. 

In the case of public health emergencies – such as the recent COVID-19 pandemic – certain aspects of the Privacy Rule are waived for public health authorities.