The Health Insurance Portability and Accountability Act (HIPAA) establishes certain minimum requirements for the protection of patient health information. So, for example, restrictions on how your doctor keeps electronically stored medical records, and the specific circumstances under which they can disclose that information to a third party, are governed by HIPAA. Unknown to many businesses, however, are HIPAA requirements that often extend beyond a doctor’s office, and can hold a number of other entities accountable (including imposing stiff monetary penalties) for how they keep and process medical information.
HIPAA coverage extends, inter alia, to any (1) healthcare provider that (2) electronically transmits health information in connection with certain transactions, typically including financial or administrative activities related to healthcare. The regulations define a healthcare provider broadly to include not only institutional healthcare providers and physicians, but therapists, aides, suppliers, pharmacies, and individuals or organizations that furnish or are paid for healthcare services or supplies in the normal course of their business. In other words, entities that provide these services or supplies, and then electronically transmit health information as part of billing or referral processes, are likely covered by HIPAA’s requirements.
These requirements can be burdensome, including strict standards for how an entity handles protected health information. Rules set forth by the U.S. Department of Health and Human Services (HHS) detail a number of safeguards related to administrative, physical, and technical security standards. Moreover, HHS privacy rules cover not just the protection of patient information, but standards for how companies must respond to a breach.