If your business provides services to healthcare providers or health insurance companies, your business may have data privacy and security requirements under a federal law called “HIPAA” (the Health Insurance Portability and Accountability Act). If your business offers an online service or application, the first time you may have heard of HIPAA is when your potential customer asks you to sign a “business associate agreement.” Even if you don’t sign a business associate agreement, you may have compliance obligations under HIPAA. And if you fail to comply with HIPAA, you may face penalties and liabilities for violations.
Health records are among the most sensitive sets of information about us. The results of an unauthorized disclosure of health records could be devastating. Leakage of health records could lead to victims’ embarrassment, stigma, job loss, and even identity theft. Following concerns about the privacy and security of health records in the 1990s, the public began to demand protection to ensure that the healthcare industry would implement controls over what information was gathered from patients, how the information could be shared, and the secure management of that information. When Congress overhauled the healthcare laws and called for greater use of electronic transactions, Congress was aware of the need for protections over the privacy and security of health information.
The need for simplifying the administration of healthcare, coupled with a public concern over privacy and security, prompted Congress to include requirements for privacy and security in landmark healthcare legislation enacted in 1996. The 1996 legislation, called the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has had a broad impact on the healthcare industry since its enactment, transforming practices for creating, storing, managing, transmitting, and disclosing health information in the United States. Later, Congress passed the Health Information Technology for Economic and Clinical Health Act, also called the “HITECH Act.”
Regulations issued by the Department of Health and Human Services apply to two main categories of businesses: HIPAA “covered entities” and their “business associates.” Covered entities are (a) health care providers, (b) health plans, and (c) health care clearinghouses that transmit any health information in connection with a transaction governed by HIPAA. HIPAA privacy and security regulations protect patient information called “protected health information” or “PHI” for short.
Healthcare functions are performed by a wide variety of individuals and organizations. In general, businesses that perform these functions for covered entities and require PHI to do so are business associates. Examples of service providers that may act in this role include entities providing the following services:
- Claims processing or billing;
- Data analysis;
- Utilization review;
- Quality assurance;
- Benefit management;
- Practice management;
- Hardware maintenance;
- Actuarial services;
- Data aggregation;
- Administrative services;
- Accreditation; and
- Financial services.
Most business associates fall into the category of service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate. If a covered entity has a business associate, which in turn outsources its services to a subcontractor, that subcontractor is also a business associate under HIPAA.
You may be thinking that your business is a general service provider and does not focus on the healthcare market. For instance, many general purpose Software as a Service (SaaS) companies or businesses that store data online through an app or online web application may think they have no HIPAA obligations. You may think to yourself that your services involve no use or disclosure of PHI and that you are performing no functions relating to HIPAA for your customers. You may even think that you do not have access to whatever data your customers store on your service, and don’t even want to have access to that data, at least not day to day. Some data storage vendors, for instance, have said that although they theoretically could look at customer data, they did not do that. They simply performed their services without accessing their customers’ data.
The latest regulations make it clear, however, that your business may fall under HIPAA even if you don’t access your customers’ data. HIPAA may cover your business even if you are completely unaware what data your customers are storing on your service. Companies that are maintaining PHI for covered entities or business associates over time on their systems as a service are business associates, regardless of their access or even knowledge of that PHI. If a business maintains PHI as part of its services for a covered entity or business associate customer longer than just random and infrequent time periods, it is a business associate, whether it knows it or not.
If you are running a business that creates, receives, maintains, or transmits health information for your customers, you should figure out whether you are covered by HIPAA and, if so, what you will need to do to comply. Signing a business associate agreement is just the beginning. You will also need to have a written privacy and security program.
Stephen Wu wrote A Guide to HIPAA Security and the Law (Second Edition) published by the American Bar Association in August 2016. For more information on determining if your business falls under HIPAA, please contact Stephen Wu by completing the web form here.
 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).
 Health Information Technology for Economic and Clinical Health Act within the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (2009).