There is often confusion about whether an organization falls under HIPAA regulations or not.
HIPAA regulates two types of organizations—Covered Entities and Business Associates. Simply put, a Covered Entity is any organization that processes electronic transactions with a health insurer, and Medicare and Medicaid are considered as health insurers.
A health care entity which accepts only cash and has no electronic interaction with a health insurer is not a Covered Entity and is not regulated by HIPAA. However, these organization still have a responsibility to keep medical records private and secure and are instead regulated by the FTC and local state regulations for this purpose. It should also be noted that a cash-only organization can be considered a Business Associate.
A HIPAA Business Associate provides services to a Covered Entity which require that they have access to, or store, patient information. Hence, they must meet the same HIPAA Security Rule compliance requirements as Covered Entities.
Common examples of Business Associates include medical billing companies, IT companies, CPAs, attorneys, and software companies. If you are unsure of your status under HIPAA, give us a call to help you sort it out.
If you have questions about HIPAA or would like a complimentary HIPAA Compliance Review for your organization, please contact us.