Search Trolley0 Menu
Posted On: October 17, 2024

What Is HIPAA and How Does It Affect Me?

We’ve heard a lot about HIPAA in recent years, but there’s a lot of misinformation surrounding what HIPAA does, who it impacts, and how. Below, we’ll clarify what HIPAA is and isn’t, who it applies to and who it doesn’t, and try to dispel common myths.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It’s a law that was passed in 1996 and updated several times over the years to account for new technology and policy concerns. HIPAA requires compliance with five main rules.

HIPAA regulations protect the privacy of patients’ sensitive health information. HIPAA ensures that a patient’s health information can’t be disclosed without their consent or awareness. In recent years, this has come to include provisions to protect against cyberattacks.

In addition to protecting PHI, HIPAA contains several administrative simplification provisions. These standardize the coding and transmission of medical records and prohibit Medicare/Medicaid fraud.

What Information is Protected by the Health Insurance Portability and Accountability Act?

HIPAA protects what it calls Protected Health Information (PHI). This is essentially any identifying information that could breach a patient’s confidentiality, including:

  • Names
  • Social Security numbers
  • Telephone numbers
  • Email addresses
  • Fax numbers
  • Elements of dates
  • Geographic data
  • Full-face photos and comparable images

These are only some examples of PHI. If someone can use certain information to piece together the identity of a patient, it’s best to consider that information protected. This is especially relevant with marketing and social media.

Not all records kept by medical practices count as PHI. For example, employee information and accounting records – any paperwork not connected to individual patients – do not fall under HIPAA compliance.

Who Is Affected by HIPAA?

Two broad categories of organizations are required to stay in HIPAA compliance – “covered entities” and “business associates.”

As defined by HIPAA, covered entities include:

  • Healthcare Providers: Providers of medical or health services and any organization or person who “furnishes, bills, or is paid for health care in the normal course of business.” Examples include hospitals, clinics, doctors, nurses, dentists, chiropractors, nursing homes, pharmacies, rehabilitation facilities, and more.
  • Health Plans: Any “individual or group plan that provides or pays the cost of medical care.” Examples include health insurance companies, HMOs, company health plans, and government programs like Medicare, Medicaid, and military/veterans’ health services.
  • Healthcare Clearinghouses: Any “public or private entity” that either processes or facilitates the processing of health information from another entity. Examples include billing services, repricing companies, community health information systems, and value-added networks/switches.

Covered entities under HIPAA are bound by most of its provisions – these were the original target of HIPAA compliance.

HIPAA regulations also address business associates, defined as an individual or organization – outside the workforce of a covered entity – that creates, receives, maintains, transmits, or performs services that involve the disclosure of PHI from a covered entity.

The full definition of a business associate under HIPAA is long and complicated, with many inclusions and exclusions, but here are some examples provided by the Department of Health and Human Services website (DHHS):

  • Third-party administrators that facilitate claims processing
  • CPA firms, when their accounting services involve access to PHI
  • Attorneys whose legal services involve access to PHI
  • Consultants who perform reviews for a hospital
  • Medical transcriptionists who provide services to physicians
  • Pharmacy benefits managers that manage a health plan’s pharmacist network

Business associates are required to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Covered entities are responsible for securing signed Business Associate Agreements before disclosing PHI.

Finally, all patients of covered entities in the U.S. are also affected by HIPAA since it’s their information that’s being protected. This protection persists for 50 years after death, with certain exceptions. In addition, HIPAA gives patients the right to access their own protected health information, though there are certain circumstances where denial of access is allowed.

Who is Not Bound by HIPAA Compliance?

During the pandemic, we heard a great deal about “HIPAA violations” that…weren’t really HIPAA violations because the organizations involved had responsibilities toward HIPAA compliance.

For example, most people’s employers can’t commit a HIPAA violation against them. HIPAA doesn’t prohibit your employer from requesting details of your vaccine records, test results, or healthcare coverage, nor does it stop them from asking for a doctor’s note for an absence. If they share this information, it may be a violation of your privacy, but it’s not a violation of HIPAA unless your employer also provides you with health services as a covered entity.

The media are also not bound by HIPAA. Covered entities can get in trouble for unauthorized HIPAA disclosures to the media, but journalists and media organizations themselves have no obligation to privacy once the information is out.

Certain government functions also fall outside the bounds of HIPAA’s Privacy Policy. School districts, law enforcement agencies, child protective services, and municipal offices can all request or use medical information in ways that are not HIPAA violations.

What Happens When HIPAA is Violated?

Some HIPAA violations are discovered through security breaches or internal audits and self-reported by a HIPAA-bound organization. However, if a patient thinks a covered entity or business associate has violated their privacy, there are several avenues for recourse. HIPAA also protects whistleblowers who work for covered entities or business associates.

HIPAA is enforced by the HHS Office for Civil Rights in non-criminal cases and the Office of the Inspector General in criminal ones. There are many different types of HIPAA violations that range from accidental to malicious, so not all violations are treated the same.

Generally speaking, there are four major penalties that can result from a HIPAA violation:

  • Civil penalties
  • Criminal penalties
  • Termination of employment
  • Medical license revocation or suspension

The exact consequences will depend on the scope and nature of the violation(s) as well as whether the violating organization or individual has been in trouble before.

Protect Yourself from HIPAA Violations with Online Compliance Training

Due to the serious consequences of violating HIPAA, it’s important for individuals who are bound by HIPAA regulations to educate themselves on how to follow the law.

In fact, an organization’s HIPAA compliance includes the need to regularly train its employees, and the safest way to meet that obligation is with high-quality professional HIPAA training from a reputable provider like us.

We have HIPAA courses targeted to a variety of audiences, including HIPAA for Healthcare Workers, HIPAA for Medical Office Staff, HIPAA for Business Associates, and much more. These courses are self-paced, interactive, and designed to teach each individual what they need to know to maintain HIPAA compliance in their role.

Enroll today to get started!

Food And BeverageFood and Beverage
Real EstateReal Estate
OSHAReal Estate
HealthcareHealthcare

Privacy Policy  |   Terms and Conditions   

©2025 360training

©2025 360training   Privacy Policy  |   Terms and Conditions   

SEARCH FOR 360TRAINING BLOGS

Blog Results

Close
Let's Chat!