Are medical technologists covered entities?

Medical technologists are not covered entities themselves, but they are subject to HIPAA regulations as business associates when they handle PHI on behalf of covered entities.

What is a covered entity?

HIPAA defines a covered entity as either an individual or organization that electronically generates, receives, stores, or sends protected health information (PHI). The three primary groups that fit this definition are healthcare clearinghouses, health plans, and specific healthcare providers. These entities transmit PHI for designated transactions.

Go deeper: What is a covered entity under HIPAA?

What is a medical technologist?

A medical technologist, also known as a clinical laboratory scientist or medical laboratory technologist, is a trained healthcare professional who performs laboratory tests and analyses on various types of specimens, such as blood, urine, tissue samples, and other bodily fluids. Their work is crucial in diagnosing, monitoring, and treating diseases and medical conditions.

Medical technologists typically work in clinical laboratories, hospitals, clinics, research facilities, and other healthcare settings. According to Forbes, the US had a shortage of approximately 20,000-25,000 medical technologists in 2022. The approximately 338,000 technologists working in the country equate to about one technologist per 1,000 people, which translates to a vacancy rate of 7% to 11% in almost every region. 

Medical technologists and PHI

When performing laboratory tests, medical technologists often receive patient samples or specimens accompanied by relevant patient information, such as name, date of birth, medical record number, and test orders. This information is considered PHI under HIPAA regulations.

Medical technologists are required to handle PHI in accordance with HIPAA guidelines to ensure patient privacy and confidentiality. This includes safeguarding PHI against unauthorized access, use, or disclosure, and following procedures for securely transmitting, storing, and disposing of PHI as mandated by HIPAA regulations and organizational policies.

Go deeper: What is protected health information (PHI)?

Are medical technologists covered entiites?

Medical technologists, while they handle PHI as part of their job responsibilities, are typically considered "business associates" rather than covered entities under HIPAA. As such, they provide services to covered entities, such as hospitals or clinics.

See also: HIPAA Compliant Email: The Definitive Guide

What are business associates?

Business associates are individuals or entities that perform certain functions or activities on behalf of, or provide services to, covered entities that involve access to PHI.

Business associates have a legal obligation to comply with HIPAA regulations and are subject to the same privacy and security requirements as covered entities. This includes implementing safeguards to protect PHI, such as administrative, physical, and technical measures, and signing business associate agreements (BAAs) with covered entities outlining their responsibilities regarding PHI.

Learn more: 

• What does it mean to be a business associate?
• What are administrative, physical and technical safeguards?

FAQs

What is protected health information (PHI) under HIPAA?

Protected health information (PHI) includes any individually identifiable health information transmitted or maintained by a covered entity or business associate in any form or medium, including electronic, paper, or oral formats.

Read more: FAQs: Protected health information (PHI)

What obligations do business associates have under HIPAA?

Business associates are required to comply with HIPAA regulations, including the HIPAA Privacy, Security, and Breach Notification Rules. They must also enter into a written BAA with covered entities, outlining their responsibilities regarding the use and disclosure of PHI and ensuring appropriate safeguards are in place.

Learn more: What is the purpose of a business associate agreement?

Do business associates need to conduct HIPAA training for their employees?

Yes, business associates are required to provide HIPAA training to their employees who handle PHI. Training should cover topics such as privacy policies, security measures, handling PHI securely, and reporting breaches or violations.