Am I a HIPAA Covered Entity - Landscape

Am I a HIPAA Covered Entity?

114
2

HIPAA covered entities have strict regulatory requirements outlined in by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA covered entities are clearly defined in the regulation as any health plan, health care clearinghouse, or health care provider who transmits any protected health information (PHI). PHI is any demographic information collected by a covered entity that can be used to identify a patient. That includes names, addresses, dates of birth, social security numbers, and medical information, to name a few examples.

That means that all health care providers, including behavioral health specialists, necessarily fall under HIPAA regulation as a covered entity.

But what does that mean for your practice? Below, we discuss the regulatory requirements that all HIPAA covered entities are mandated to address in order to keep PHI private and secure.

HIPAA Compliance for Covered Entities

A HIPAA covered entity must address all of the regulatory standards set out in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

An effective HIPAA compliance program must address:

  • Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
  • Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse any potential HIPAA violations.
  • Policies, Procedures, Employee Training – To avoid HIPAA violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is also required.
  • Documentation – Your practice must document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
  • Business Associate Management – You must document all vendors with whom you share PHI, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
  • Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: The Telebehavioral Health Institute (TBHI Telehealth.org) offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Privacy Policy and Terms and Conditions.

Subscribe
Notify of
guest
2 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Barbara Griswold, LMFT
Barbara Griswold, LMFT
5 years ago

Question: I had been told by lawyers at the California Assn of Marriage and Family Therapy that you were only a HIPAA covered entity if you transmitted PHI via the internet, since HIPAA really addresses internet transactions. Therefore, he said, providers who transmitted all info to health plans via fax, phone, and snail mail were not HIPAA covered entities. Your article seems to suggest that all therapists are HIPAA covered entities.

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
Reply to  Barbara Griswold, LMFT
4 years ago

Barbara,
HIPAA covers all electronic transmissions. Please see the http://hhs.gov website for details: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html If you conduct a few other searches on that site, you’ll see many key facts related to HIPAA and how to comply.

2
0
Would love your thoughts, please comment.x