Who is Regulated by HIPAA?

Modified on Tue, 13 Feb at 5:35 PM

  • DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

    "Wait! You have to take me to shore. According to the Code of the Order of the Brethren..." - Elizabeth Turner

  • "First, your return to shore was not part of our negotiations nor our agreement so I must do nothing. And secondly, you must be a pirate for the pirate's code to apply and you're not. And thirdly, the code is more what you'd call "guidelines" than actual rules." - Captain Barbossa

    If you have seen the first Pirates of the Caribbean movie (Pirates of the Caribbean: The Curse of the Black Pearl), there's a good chance you remember the above dialogue exchange in the movie.

    Captain Barbossa was not a lawyer, but he understood a key concept that crops up in law all of the time: Laws (the equivalent of what Barbossa calls "rules") that regulate conduct do not necessarily apply to everyone.

    The HIPAA statute ("statute" is another word for law) was passed in 1996. The statute describes who it applies to:

    (1) A health plan.
    (2) A health care clearinghouse
    (3) A health care provider who transmits any health information in electronic form in connection with certain transactions.

    The HIPAA statute directed the HHS Secretary to "establish specifications for implementing each of the standards... of the HIPAA law," including the standards for privacy and security of protected health information.

  • HHS first "established specifications" when it issued its first final Privacy Rule in December of 2000, it gave these entities a name - "covered entities." (p. 82470).  This first Privacy Rule has been amended a number of times since 2000, but the scope of its coverage remains the same - it still applies to covered entities, which are still defined as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with certain transactions.

    You must be regulated by HIPAA for HIPAA to apply to you.

    What does this mean, practically speaking?

    Many healthcare providers do not accept patients' medical insurance, whether that insurance is private or government-sponsored. These providers, if they do not electronically transmit health information in connection with certain standard transactions, are not covered entities. HIPAA does not apply to them.

    Many entities to whom HIPAA does not actually apply, nonetheless may seek to voluntarily comply. Voluntary compliance is viewed by patients and other healthcare and healthcare-related entities that a provider is taking the privacy and security of patient information seriously.

    What happens when a provider who is not actually subject to HIPAA, but who is voluntarily meeting its standards, suffers a data breach? What happens if such a provider does not provide patients with copies of their ePHI, as required by the HIPAA right of access rule?

    Let's take a look. Say I am such a provider. I fail to timely respond to a patient's request for access to my protected health information. The patient files a complaint with the Office for Civil Rights. When OCR receives the complaint, it might send me a document request. That request might contain a list of questions asking me if I engage in any of these "transmissions between two parties to carry out financial or administrative activities related to health care":

    1. Health care claims or equivalent encounter information.
  • 2. Health care payment and remittance advice.
  • 3. Coordination of benefits.
  • 4. Health care claim status
  • 5. Enrollment and disenrollment in a health plan
  • 6. Eligibility for a health plan
  • 7. Health plan premium payments
  • 8. Referral certification and authorization

  • I do not engage in any of these transmissions. I state this fact on the document request and return my response to OCR. OCR read my responses, and, in conjunction with other information about my practice that I submitted to it, determines that, yes, indeed, I do not engage in any of these transactions.

    What happens to the patient who filed the complaint? OCR will dismiss the complaint, for lack of jurisdiction. The HIPAA law set forth whom OCR can enforce HIPAA against - covered entities - and I am not on HIPAA's list of covered entities. I'm not a pirate. Therefore, I am not subject to liability for having "violated HIPAA."











Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article