Role of DHHS and ARRA
The U.S. Department of Health and Human Services (DHHS) (hhs.gov/hipaa [1]) is responsible for updating covered entities and issuing new standards for the use or exchange of Protected Health Information (PHI). Traditionally, a healthcare provider claiming HIPAA compliance meant they were adhering to the HIPAA Privacy Rule – Stanford University Overview [2]. Over time, achieving HIPAA compliance has become more straightforward, largely due to the enactment of The American Recovery and Reinvestment Act of 2009 (ARRA). The ARRA is notable for including the Health Information Technology for Economic and Clinical Health (HITECH Act – HHS.gov) [3].
HIPAA Act of 1996
The HIPAA Act of 1996 (HIPAA Law – CDC.gov) [4] established strict standards for a patient’s Protected Health Information (PHI) as part of its Privacy Rule regulations.
The HIPAA Privacy Rule
Covered Entities
The Privacy Rule addresses all aspects of saving, accessing, and sharing an individual’s medical and personal information. Central to these regulations is the concept of a Covered Entity. All Healthcare Providers and Health Plans are considered Covered Entities, including state, federal, private, and employee and veterans’ welfare health insurance plans (Covered Entities – Wikipedia) [5].
Business Associates
However, the definition of a Covered Entity extends beyond this to include all Business Associates – HHS.gov [6] involved in accessing or sharing an individual’s medical health information. A Business Associate refers to individuals or organizations directly involved in the operations of a Covered Entity or acting on its behalf, excluding employees of the Covered Entity. For instance, clerical staff at a healthcare center are not considered Business Associates, but an outsourcing firm handling medical billing for the facility is. These Business Associates are obligated to follow HIPAA compliance guidelines.
Examples of Business Associate Services
Typical services provided by Business Associates include:
- Handling a patient’s personal or medical data
- Assisting with administrative functions
- Providing legal, financial, or insurance-based consultations
References
[1] U.S. Department of Health & Human Services – HIPAA for Professionals (.gov)
[2] Stanford University – HIPAA Privacy Rule Overview (.edu)
[3] HITECH Act – HHS.gov (.gov)
[4] HIPAA Law – CDC.gov (.gov)
[5] Covered Entities – Wikipedia (wiki)
[6] U.S. Department of Health & Human Services – Business Associates (.gov)