HIPAA dates back to 1996 and stands for the Health Insurance Portability and Accountability Act. At first HIPAA’s regulations were vague and with little to no enforcement. That changed in 2009 with HITECH Act (Health Information Technology for Economic and Clinical Health), which was part of the 2009 American Recovery and Reinvestment Act. This act charged the Office of Civil Rights (OCR) to enforce HIPAA’s policies with a minimum penalty of $50,000 and the law even states that “a medical entity’s reasonable lack of knowledge of a violation…is no longer accepted.” In 2013, HIPAA’s reach extended to companies working with medical entities, known as Business Associates (BAs).
Who Does HIPAA Regulate?
Any business that creates, stores, edits, or transfers Protected Health Information (PHI) must comply with HIPAA regulations. HIPAA defines PHI as:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
- Relates to the past, present, or future physical or mental health or condition of any individual, or the past, present, or future payment for the provision of health care to an individual.
ePHI is the electronic version of PHI, known as Electronic Protected Health Information.
HIPAA breaks businesses into two categories:
- Covered Entities (CEs)includes health plans, clearinghouses, and providers (doctors, clinics, psychologists, dentists, chiropractors, nursing and hospice homes, and pharmacies).
- Business Associates (BAs)any company that comes into contact with PHI, including an IT firm, shredding company, document storage company, attorney, accountants, collection agencies, EMR (Electronic Medical Record) companies, data centers, transcriptionists, and many more.
HIPAA also requires all CEs to have a BA Agreement (called a BAA for short) with each Business Associate they work with directly.