Who HIPAA does not apply to and why

While HIPAA regulations apply to specific entities and individuals involved in handling protected health information (PHI), it's helpful to know who falls outside the scope of this legislation. 

Even if your organization isn't bound by HIPAA regulations, it's still worthwhile to safeguard patient information even when not legally required - and there are often state regulations to consider too.

Who is not required to follow HIPAA? 

HIPAA's primary focus is on covered entities and their business associates, which include healthcare providers, health plans, and healthcare clearinghouses. 

Entities and individuals who don't handle PHI on behalf of covered entities typically aren't subject to HIPAA regulations. However, these non-covered entities may still be responsible for protecting sensitive information under other federal and state privacy laws. 

The key factor determining whether an entity or individual is subject to HIPAA is their involvement in the handling, use, or disclosure of PHI on behalf of a covered entity.

Some examples of who HIPAA does not apply to:

1. Employers (in their capacity as employers)
2. Life insurance companies
3. Workers' compensation carriers
4. Auto insurance companies (when not providing health benefits)
5. Schools and school districts (when not providing healthcare services)
6. Law enforcement agencies
7. State agencies not involved in healthcare administration or services
8. Family and friends of the patient (unless acting as a personal representative)
9. Fitness and health clubs
10. Marketing companies (when not working on behalf of a covered entity)
11. Researchers (when not obtaining PHI from a covered entity)
12. Attorneys (when not working on behalf of a covered entity)
13. Cosmetic service providers (when not processing healthcare transactions)
14. Alternative medicine practitioners (when not processing healthcare transactions)
15. Pharmacies selling over-the-counter products without PHI

Why HIPAA does not apply to them

HIPAA regulations don't apply to these entities and individuals because they don't typically handle, use, or disclose PHI on behalf of covered entities. The primary purpose of HIPAA is to safeguard individuals' health information, and these exemptions acknowledge that not all entities pose the same level of risk to PHI security and privacy.

Related: Permitted use and disclosure of protected health information (PHI) under HIPAA 

The distinction between a covered entity and a non-covered entity

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that participates in specific electronic transactions involving the transmission of health information, known as HIPAA covered transactions. 

In contrast, a non-covered entity does not participate in these transactions or handle PHI on behalf of a covered entity, and therefore isn't subject to HIPAA regulations. However, non-covered entities may still need to adhere to other privacy laws depending on their industry or jurisdiction, such as the Federal Trade Commission (FTC) regulations or state-specific privacy laws.

What are HIPAA covered transactions?

HIPAA covered transactions refer to specific electronic exchanges of health information that involve the transfer, processing, or coordination of healthcare data between covered entities or their business associates. 

They're standardized transactions, as defined by the HIPAA Transactions and Code Sets Rule, and aim to improve the efficiency and effectiveness of the healthcare system by streamlining electronic data interchange (EDI).

Covered transactions under HIPAA include, but are not limited to:

1. Claims and encounter information: Submission, review, or payment of healthcare claims.
2. Benefit eligibility inquiries and responses: Communication between healthcare providers and health plans to verify a patient's eligibility for specific services or benefits.
3. Health plan enrollment and disenrollment: Processes related to an individual joining or leaving a health plan.
4. Health plan premium payments: Transactions related to the payment of health insurance premiums.
5. Referral authorization and certification: Obtaining approval for specific healthcare services or referrals to other providers.
6. Coordination of benefits: Determining and allocating payment responsibilities when an individual has multiple health insurance plans.
7. Healthcare payment and remittance advice: Communication of payment information between health plans and healthcare providers.

Safeguarding patient information even when not required by HIPAA

Even if an entity or individual is not considered a covered entity under HIPAA, safeguarding sensitive patient information is still a best practice. 

This is important for several reasons:

1. Other regulators: Entities may still be subject to other privacy laws and regulations, such as the FTC, which can impose penalties for mishandling personal information.
2. State-specific privacy laws: Many states have privacy laws that mandate the protection of personal information, including health-related data.
3. Trust and reputation: Ensuring the confidentiality and security of patient information helps build trust with clients and maintains a positive reputation in the industry.
4. Cybersecurity risks: Data breaches and cyberattacks are increasingly common, and protecting sensitive information can help mitigate these risks.
5. Ethical responsibility: Protecting patients' privacy is an ethical obligation, regardless of legal requirements.

By using HIPAA compliant tools and adopting best practices for safeguarding patient information, non-covered entities can demonstrate their commitment to privacy and security. These practices include implementing access controls, encryption, secure HIPAA compliant email, and staff training on privacy and security policies.

What to do if HIPAA applies to your organization

1. Conduct a risk analysis: Assess potential risks and vulnerabilities to PHI within your organization.
2. Develop and implement policies and procedures: Establish guidelines for handling PHI, managing privacy and security, and responding to potential breaches.
3. Designate a Privacy Officer and a Security Officer: Appoint individuals responsible for ensuring compliance and overseeing privacy and security initiatives.
4. Train your workforce: Provide regular training to all employees on HIPAA regulations, privacy practices, and security measures.
5. Establish technical safeguards: Implement access controls, encryption, and secure communication channels for transmitting electronic PHI.
6. Create physical safeguards: Restrict access to facilities and workstations containing PHI.
7. Implement administrative safeguards: Develop processes for workforce clearance, information access management, and security incident procedures.
8. Enter into Business associate agreements (BAA): Establish contracts with any business associates that handle PHI on your behalf, outlining their responsibilities for maintaining compliance.
9. Develop a breach notification plan: Create a protocol for notifying affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media in case of a PHI breach.

For both covered and non-covered entities, it is crucial to adopt best practices for safeguarding sensitive information to build trust, maintain a positive reputation, and fulfill ethical obligations. Stay informed and diligent in your privacy and security efforts to contribute to a more secure healthcare environment for all.

Go deeper:

• Do international companies have to abide by HIPAA? 
• Business associate agreement provisions
• How to send HIPAA compliant emails