Who needs HIPAA?

We started GoldSky with the intention of educating small and medium business owners about both security and compliance.  Security means – in rough terms – doing what’s necessary to protect your organization’s data and resources. Compliance, be it private or public, is intended to ensure that organizations handle certain data securely.  In healthcare, we often refer to HIPAA as the big compliance framework that we must adhere to.

One thing that’s surprised us has been the lack of understanding of WHO needs to comply with HIPAA regulations?

HIPAA (and subsequently the HITECH Act) classifies this in three ways: Covered Entities, Business Associates, and Sub Contractors. We can all read the regulations on what this means, but I want to break this down in to very simple terms for the purposes of this article.

Covered Entities: Do you see patients? Do you create medical records? Are you a health insurance company? If so, you’re a Covered Entity and must comply with HIPAA!

Business Associates: Do you receive ANY medical information from a covered entity? Are you a malpractice, personal injury attorney? Are you a medical billing company? If so, you’re a Business Associate and must comply with HIPAA!

Subcontractors: Do you receive ANY medical information from a Business Associate? Do you receive data from a subcontractor of a subcontractor of a business associate? If so, you’re a Subcontractor and must comply with HIPAA!

The even shorter explanation is that if you receive medical data from a covered entity (whether 3rd, 4th, 5th, etc… hand), you must comply with HIPAA and the HIPAA Security Rule. That means, among other things, each link in that chain must have current and updated Business Associate Agreements (BAAs) and Security Risk Analyses at all times.

From a security perspective, this may sound daunting, but it’s really not. The HIPAA Security Rule is designed to make sure that healthcare records are protected, access to those records is tracked, that everyone you work with understands their obligations, and that you’re taking proactive measures to understand all of this.

Security compliance doesn’t have to be hard! We can help you navigate all of this, better protect your customer’s ePHI, and help you achieve compliance!