HIPAA law is important legislation that outlines how organizations and individuals (which it refers to as covered entities) must protect their protected health information (PHI). While HIPAA is actually much broader and includes rules for things like insurance claims and payments, our focus is on its provisions for safeguarding PHI.
The Two Key Parties: Covered Entities and Business Associates
If HIPAA law is designed to protect patient information, then it’s important to understand which parties must abide by it. Those that don’t meet the legal definitions of covered entities or business associates don’t have to comply with the HIPAA Rules
The legislation uses the term covered entities to refer to individuals or organizations that collect, store, transmit or process PHI.
Covered entities fall into three categories:
- Health care providers – These include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists and similar types of providers.
- Health plans – Health insurance companies, company health plans, HMOs and Government-paid health care plans such as Medicare are all considered health plans.
- Health care clearinghouses – These are entities that either process or facilitate the processing of health information that they receive from other entities. Health care clearinghouses can be public or private, and can include things like billing services and repricing companies.
Individuals or entities that meet the definition of covered entities are required to follow the HIPAA legislation’s stipulations. These include rules for protecting the security and privacy of health information, while also providing individuals with certain rights regarding this information.
Covered entities can’t do everything by themselves, and they frequently engage in the services of others to conduct their work. After all, if you ran a covered entity such as a hospital and you needed to send secure email to patients, would you set up your own infrastructure for it?
No, of course not. You would find a provider to do it for you. But how do you make sure the email provider also protects the data inline with your organization’s HIPAA responsibilities?
Thankfully, the legislators did make provisions for this. The providers that work alongside covered entities are referred to as business associates. The HIPAA laws set out how these two entities can share PHI to make sure that it is safeguarded.
Business associates can include a wide range of individuals and organizations, including things like web hosts, billing companies, consultants, legal firms, accountants, and many more. Any organization that processes PHI on behalf of a covered entity is considered a business associate if it does so according to the rules that the HIPAA laws lay out.
But what ensures that the business associate will protect the data appropriately?
The Business Associate Agreement
The relationship between covered entities and business associates is brought together by the business associate agreement. This is a contract that sets out how each party will protect the PHI, what each side’s obligations are, and where the responsibilities lie. These agreements help to protect both covered entities and the data of individuals, because the legal weight behind them motivates business associates to take their responsibilities seriously.
Violation Costs for Covered Entities and Business Associates
HIPAA laws can’t be looked at as just some dull, bureaucratic box-checking. The penalties are too high for such an unconcerned approach. Both covered entities and business associates need to be aware that they face penalties of between $100 and $50,000 per violation, depending on the severity of the offense.
Considering the number of individual records most companies process, this can very quickly add up to the $1.5 million yearly maximum penalty for each violation category.
If you are a covered entity, you need trusted Business Associates
If your organization is a covered entity, it can be difficult to find a business associate that meets its needs for secure email, web hosting ,and related services. Few providers have the right combination of protection measures, verified HIPAA compliance, functionality, and effectiveness that your business requires.
LuxSci’s services are specifically tailored to combine all of these traits. They are designed to be easy to use, efficient, secure, and to comply with the legislation. Our company’s focus at this junction makes LuxSci the perfect provider for healthcare organizations and those that process ePHI. Call us if you want to learn more about how our solutions can work for your company.