About a month ago, we had a call with IT management of a regional dental plan. During the call, this question came up: "How do I know when my obligation for email encryption ends?" In a nutshell, they were curious to learn more how email encryption responsibility works for Covered Entities.
Here are the topics we'll cover in this post:
- What is a Covered Entity?
- What is Protected Health Information? (PHI)
- Who must comply with HIPAA privacy standards?
- What is a Business Associate?
- What is a Business Associate Agreement?
- HIPAA Omnibus Rule for Covered Entities
What is a Covered Entity?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are referred to as Covered Entities. The 3 categories of HIPAA Covered Entities are:
- Health Plans: Health Insurance companies; HMOs (Health Maintenance Organizations); Employer-sponsored health plans; and Government programs that pay for healthcare (Medicare, Medicaid, and military and veterans’ health programs)
- Healthcare Clearinghouses: Organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
- Certain Healthcare Providers: Providers who submit HIPAA transactions, like electronic claims. Common examples are Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing homes, and Pharmacies
As you can see from the above, Covered Entities can be institutions, organizations, or persons. Learn more: Covered Entities [HHS]
What is Protected Health Information? (PHI)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses Protected Health Information (PHI) to define the type of patient information that’s protected by law. PHI is an important factor for HIPAA compliance PHI isn’t just confined to medical records and test results.
In fact, any information distributed by a business associate that can identify a patient and is used or disclosed to a covered entity during the course of care is considered PHI. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI.
Read full article: What is Protected Health Information (PHI)?
Who must comply with HIPAA privacy standards?
By law, the HIPAA Privacy Rule applies only to Covered Entities. Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations. If these services involve the use of protected health information, it means that organization is a Business Associate.
In summary, HIPAA compliance regulations apply to both Covered Entities and the Business Associates that serve them.
What is a Business Associate?
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.
Read full article: What does it mean to be a Business Associate?
What is a Business Associate Agreement?
A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).
If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.
Read full article: Business Associate Agreement Provisions
HIPAA Omnibus Rule for Covered Entities
Now that we've covered basic HIPAA terminology, we're ready to determine when liability for a Covered Entity or Business Associate ends once a secure email has been delivered. Our staff dug deep into the HIPAA Omnibus Rule to find the correct answer.
In the middle paragraph of page 5634, we see that: "Further, covered entities are not responsible for safeguarding information once delivered to the individual."
Once a secure email has been delivered to the end recipient's system, the covered entity or business associate has fulfilled their obligations for the HIPAA Privacy Rule.