Privacy Daily is a service of Warren Communications News.

HIPAA Applies to a Narrow Group of Covered Entities, Say Lawyers

A common misconception is that all health and medical data is subject to the Health Insurance Portability and Accountability Act (HIPAA), though the consequences for mistakes could be severe.

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

In fact, "HIPAA actually applies to a much narrower set of organizations than [is] generally understood," BCLP lawyers Amy de La Lama and Andrea Rastelli wrote on a blog post Tuesday.

"HIPAA’s privacy and security rules apply to covered entities and their service provider, business associates," they said. "While both covered entities and business associates are directly responsible for complying with HIPAA and can face related enforcement, covered entities have primary responsibility for HIPAA compliance." In the above context, "business associates are persons or entities that perform certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity."

Health plans, health care clearinghouses and health care providers "that transmit any health information in electronic form in connection with a transaction covered by HIPAA" count as covered entities under the federal statute, the lawyers said, which means that "not all health care providers are covered by HIPAA."

De La Lama and Rastelli said these definitions matter because covered entities that fail to meet privacy and security obligations "can face significant penalties and other repercussions." And companies that incorrectly believe they are subject to HIPAA may fail to comply with state privacy laws or other statutes that apply when HIPAA doesn't, such as Washington state's My Health My Data Act (see 2502120053) and the California Consumer Privacy Act's sensitive personal information provisions.

Especially with the "significant uptick in data breaches targeting health care providers," de La Lama and Rastelli said, "it is imperative for providers and other companies that handle health and medical data to understand where they sit in the regulatory framework with respect to this data so they can appropriately meet their legal obligations."