Cyber Security & Compliance

Who Needs to be HIPAA Compliant?

Who Needs to be HIPAA Compliant?

by Robert Bruce - June 24, 2015

The common misconception that the Health Insurance Portability and Accountability Act (HIPAA) is just for medical companies is one that could have serious consequences, especially for a small-to-midsized business (SMB).

The act has official rules that specify required compliance by covered entities (CE), which are: healthcare providers, health plans, or healthcare clearinghouses, and business associates — that is, any company that comes in contact with electronic protected health information (e-PHI). According to the U.S. Department of Health and Human Services, all of these are considered covered entities and must comply with HIPAA encryption requirements to protect the privacy and security of protected health information.

Keep reading to learn more about:

  1. Who needs to be HIPAA compliant
  2. Why being compliant is a necessity
  3. PHI implications
  4. And more

RELATED: 5 HIPAA Compliance Best Practices and How MSPs Keep DC SMBs Compliant

Who needs to be HIPAA compliant?

Covered healthcare providers include, but are not limited to, hospitals, clinics, regional health services, and individual medical practitioners that carry out transactions in electronic form. Health plans may involve insurers, HMOs, Medicaid, Medicare, prescription drug card sponsors, flexible spending accounts, and public health authorities. Health plans frequently involve employers, and schools or universities that collect, store or transmit e-PHI, in order to enroll employees or students in health plans.

Healthcare clearinghouses, such as billing services and health management information systems, usually receive non-standard health information from other entities and convert it into standard electronic format, or vice versa. Business associates may refer to any organization or individual with access to e-PHI who act as a vendor or subcontractor.

Here is a categorical list of covered entities starting with the health fields, followed by some examples of business associates that typically come into contact with protected health information:


Healthcare Providers include:

  1. Physicians

  2. Surgeons

  3. Dentists

  4. Psychologists

  5. Chiropractors

  6. Clinics

  7. Hospitals

  8. Nursing Homes and Assisted Living Facilities

  9. Pharmacies

Health Plans include:

  1. Medical Insurance Companies

  2. Company Health Plans

  3. Health Maintenance Organizations (HMO)

  4. Government Programs such as Medicare, Medicaid, Military and Veterans Healthcare Systems

  5. Medical Savings Accounts

Business Associates may include:

  1. Internet technology and data transmission providers, such as web-hosting companies and managed service providers (MSP).

  2. Hardware support and maintenance firms

  3. Software providers and application services, including software-as-a-service (SaaS)

  4. Data storage and/or disposal services such as document shredding companies

  5. Medical equipment companies

  6. Consultants hired for audits, coding reviews, etc.

  7. Electronic health information exchanges

  8. Medical transcription services

  9. External auditors or accountants

  10. Attorneys with access to PHI

RELATED: Five Compliance Environments You Should Know About

Protected Health Information (PHI) Implications

A wide range of entities and business associates are covered by HIPAA, therefore it is critically important to know exactly what PHI entails. Any information included in a medical record that can identify an individual, and that was created and used while providing health care (such as diagnosis or treatment) falls under the category of protected health information. Protected health information has been defined as any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This includes any part of a patient's medical record or payment history.

Medical or dental practice paper records are not exempt from HIPAA regulation. Claims submitted as hard copies to a billing company, and then in turn transmitted electronically to payers, are subject to HIPAA rulings. PHI also includes any conversations a patient has with a physician or nurse about his or her treatment; a patient’s billing information; and medical information in the patient’s health insurance company’s database.

Before covered entities release any PHI to outside parties it is mandatory that the correct patient authorization forms be completed. They should include the patient’s legal name, the specific information that is permitted for disclosure and the valid authorization dates.

Employees need to be very careful about discussing any PHI with unauthorized third-parties. Inadvertently sharing PHI through gossip or conversations with friends, family, or co-workers is, unfortunately, a common HIPAA violation.

Subscribe to the Meridan blog

Sign up to receive the latest news about innovations in the world of document management, business IT, and printing technology.

(855) 948-5679