HIPAA does not apply to multiple types of organizations including healthcare providers that do not qualify as covered entities, public schools that only provide medical services for students, and financial institutions that process payments on behalf of covered entities. However, although HIPAA does not apply to these organizations, other state privacy laws may apply.
When Does HIPAA Not Apply to Healthcare Providers?
HIPAA applies to organizations that qualify as health plans and health care clearinghouses as these terms are defined in the General Provisions of the Administrative Simplification Provisions (§160.103). It also applies to healthcare providers that transmit “any health information in electric form in connection with a transaction covered by [Part 162]”.
The Applicability clause of the General Provisions (§160.102) means that HIPAA does not apply to healthcare providers who do not conduct Part 162 transactions – or who do conduct Part 162 transactions, but not electronically. Examples of healthcare providers that do not qualify as HIPAA covered entities – and to whom HIPAA does not apply – include:
- Therapists who do not accept insurance or Medicare and bill clients directly.
- Podiatrists who bill insurance companies, but not using Part 162 code sets.
- Medical centers who conduct Part 162 transactions by mail or PSTN phone.
Exceptions When HIPAA Does Apply To Non-Qualifying Healthcare Providers
HIPAA applies to non-qualifying healthcare providers when they provide a service for or on behalf of a covered entity as a business associate. If, for example, a podiatrist is contracted by a hospital to treat patients, the podiatrist becomes a business associate of the hospital and HIPAA applies in respect of the patients treated on behalf of the hospital.
In addition, if any of the above non-qualifying healthcare providers conduct a “covered transaction” electronically, HIPAA can apply to the transaction, or a part of the healthcare provider’s operations, or the whole operation. For example:
- If a therapist agrees to accept a payment for a client’s treatment from Medicare, HIPAA applies to the security of the transaction and the privacy of the client’s data.
- If the therapist accepts subsequent patients whose treatment is paid for by Medicare, the therapist can isolate Medicare patients’ data and operate as a hybrid entity.
- Alternatively, the therapist can adopt all applicable HIPAA standards and operate as a covered entity. This is often preferable to complying with two sets of regulations if state privacy laws also apply.
Who Does HIPAA Not Apply to in Education?
The question of who does HIPAA not apply to in education is complicated by HIPAA defining health information as information relating to an individual’s health condition, treatment for the condition, or payment for the treatment created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse (summarized from §160.103).
This definition implies that HIPAA should apply to any school or university that maintains medical records about students. However, the definition of Protected Health Information in §160.103 excludes individually identifiable health information maintained in students’ education records covered by the Family Educational Rights and Privacy Act (FERPA) because FERPA has more stringent requirements relating to the privacy of data.
In the context of who does HIPAA not apply to in education, HIPAA does not apply to any elementary, secondary, or post-secondary school, college, or university that receives funds from programs administered by the Department of Education. It also does not apply to any state or local education agencies. For the benefit of doubt, HIPAA does apply to private and parochial elementary and secondary level schools that do not receive public funding.
Why HIPAA Does Not Apply to Payment Processors
In theory, payment processors such as banks and credit card companies should be considered business associates under HIPAA because they perform services on behalf of a covered entity that involve disclosures of PHI. However, in the text of HIPAA, a clause exists (§1179) which exempts financial institutions from HIPAA when they authorize, process, clear, settle, transfer, reconcile, or collect payments for healthcare or health plan premiums.
This exemption was confirmed by HHS’ Office for Civil Rights in the preamble to the Final Omnibus Rule in 2013. Discussing who qualified as a business associate (or who qualified as a subcontractor of a business associate), HHS’ Office for Civil Rights stated: “the HIPAA Rules, including the business associate provisions, do not apply to financial institutions with respect to the payment processing activities identified in §1179 of HIPAA”.
It is important to be aware that while it is possible to include financial institutions in a list of who does HIPAA not apply to, the exemption only applies to payment processing activities. If a financial institution provides support services that involve disclosures of PHI, they do qualify as a business associate. For this reason, it is possible to accept payments through services that would not otherwise be HIPAA compliant such as PayPal, Stripe, and Zelle.
Other Examples of When HIPAA Does Not Apply
There are many other examples of when HIPAA does not apply. These include when an insurance company provides health coverage secondary to another type of coverage (i.e., auto insurance), when disclosures of PHI are made to government agencies under §164.512 of the Privacy Rule (i.e., to public health authorities), and when a state privacy law has more stringent requirements relating to the privacy of data or individual’s rights.
The reason it is important to know who does HIPAA not apply to – or when HIPAA does not apply – is not only to prevent organizations that do not qualify as covered entities undertaking unnecessary compliance activities. It can also reduce the compliance workload for organizations that do qualify as covered entities when they contract a service to a third party that involves a disclosure of PHI, but to whom HIPAA does not apply.
Organizations unsure about who does HIPAA not apply to are advised to seek advice from a compliance professional. Although implementing more compliance measures than necessary may not appear to have negative consequences, it may detract resources from other compliance obligations, which could then result in an increase in the cost of HIPAA compliance or avoidable HIPAA violations if gaps appear in existing efforts.