[ Thursday, August 11, 2016 ]
Jeff [12:25 PM]
Just because you're a healthcare provider does not mean HIPAA is applicable to you.
I was having a conversation just last night regarding this issue: HIPAA only applies to health plans, health care clearinghouses, and health care providers "who transmit any health information in electronic form in connection with a transaction covered by" HIPAA. The 8 HIPAA-covered transactions are:
- Health claims and equivalent encounter information.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health care payment and remittance advice.
- Health plan premium payments.
- Health claim status.
- Referral certification and authorization.
- Coordination of benefits.
If you are a health plan but don't undertake any of the above transactions in electronic form, then you are not covered by HIPAA. That does not mean you are entirely in the clear.
If you suffer a breach, you may have state law reporting obligations you must still clear. And if you serve as a business associate for a covered entity, you may become subject to HIPAA via that back-door route. However, the potential for big HIPAA fines are not there if you are not a HIPAA covered entity.
This was illustrated by a New Jersey case last year
, which I also blogged about
(albeit in a different, more esoteric context).
Blogger: HIPAA Blog - Edit your Template