HIPAA Applicability - Understanding the Security, Breach Notification, and Privacy Rules
Table of contents
This post is intended to help organizations understand how the Health Insurance Portability and Accountability Act (HIPAA) Security, Breach Notification, and Privacy Rules apply to them, either directly as a Covered Entity or via their relationship with another organization as a Business Associate. Applicability of the Administrative Rule is also covered due to its overlap with the Security, Breach Notification, and Privacy Rules.
Many organizations misunderstand what qualifies as a Covered Entity or Business Associate, and also the definition of Protected Health Information (PHI) including Electronic Protected Health Information (ePHI), under HIPAA. These terms are not as broad as most organizations believe them to be, and this leads to misunderstandings about to whom and how the HIPAA Rules apply.
This post is part of a series that helps understand all of these terms related to HIPAA applicability. Organizations may want to confirm whether they meet the definition of a Covered Entity or Business Associate and their understanding of the definition of PHI before reviewing this applicability information:
- HIPAA Covered Entities - It’s More Than Just PHI
- HIPAA Business Associates - What’s Your Function?
- HIPAA Protected Health Information - When Health Information Isn’t Protected
- HIPAA, HITECH, and HITRUST - It’s HI Time to Make Sense of it All
TrustedSec has years of experience helping organizations meet HIPAA security and privacy compliance requirements. Please get in touch with us for any questions on this topic or if your organization needs assistance with its HIPAA Compliance program.
Basic Applicability
Once an organization determines whether they are a Covered Entity and/or Business Associate, it can be understood how the HIPAA Rules apply to it. This table shows an overview of the purpose and applicability of each HIPAA Rule, and links go to more details about the applicability of each rule later in this post:
Rule | Purpose | Applicability |
|---|---|---|
Standardization of health identifiers, code sets, and formats for electronic data exchanges | Applies uniformly to Covered Entities transmitting Covered Transactions. Only applies to Business Associates conducting Covered Transactions on behalf of Covered Entities. | |
Protection of ePHI from unauthorized access | Applies uniformly to all Covered Entities and Business Associates handling ePHI. | |
Notification of breaches affecting PHI | Applies to both Covered Entities and Business Associates handling PHI. Business Associates are only responsible for notifying Covered Entities of breaches, and Covered Entities are responsible for all other required breach notifications. | |
Restricting when and how PHI can be shared and enumerating the rights of individuals with regard to their PHI | Applies to both Covered Entities and Business Associates handling PHI. Applicability to Covered Entities and/or Business Associates is identified on a clause-by-clause basis throughout the requirements. |
Enforcement and Certification
HIPAA (and its HITECH amendment) are U.S. Federal laws supported by various regulations. HIPAA operates like nearly all other laws and regulations in that its requirements are expected to be followed, and violations can result in penalties.
HIPAA is enforced by the Department of Health and Human Services (HHS). Penalties are documented in the HIPAA regulations at 45 Code of Federal Regulations (CFR) 160.404(b) and range from $100 to $50,000 per violation based on:
- Whether the violation was due to a reasonable cause or willful neglect
- Whether the violation was corrected within 30 days of discovery (or when it should have been discovered with reasonable diligence as determined by HHS)
Identical violations within a calendar year can result in fines of up to $1,500,000.
TrustedSec often receives inquiries about HIPAA certification. This conversation is often complicated by the existence of the HITRUST certification program, which has long been heavily marketed in the health care sector and is confusingly named similarly to HIPAA and HITECH. There is no certification process described in HIPAA, HITECH, or their supporting regulations, and therefore no official certification program exists. Certification, using HITRUST or any other framework, does not automatically mean an organization is HIPAA compliant and does not offer protection against enforcement actions.
See our post, HIPAA, HITECH, and HITRUST - It’s HI Time to Make Sense of it All, for more details on the relationship between HIPAA, HITECH, and HITRUST, and why HITRUST is not a reliable indicator of HIPAA compliance.
Rule-by-Rule Applicability Details
To start at the top, Title 45 Subchapter C, which contains the regulations supporting HIPAA Title II has three parts that define the following:
Part Title Numbers | Name | Description |
|---|---|---|
General Administrative Requirements | Contains the applicability, definitions, investigatory process, penalties, etc. for the entire subchapter | |
Administrative Requirements | Requirements for unique identifiers and standardized electronic transactions | |
Security and Privacy | Security, breach notification, and privacy requirements |
The applicability for all of Subchapter C is defined in 45 CFR 160.102 and tells us that these requirements apply to:
- Covered Entities “except as otherwise provided”
- Business Associates “where provided”
This means:
- We should consider every requirement in this subchapter to be applicable to Covered Entities unless a specific requirement or clause tells us otherwise.
- We only need to apply requirements to Business Associates if a requirement or clause explicitly tells us to do so.
The Administrative, Security, Breach Notification, and Privacy Rules each contain their own Applicability sections that build on this concept with more detailed information, as described below.
Readers who followed the link above to the Applicability section of Subchapter C may have noticed that it does not actually contain the words “covered entity”. This is because the Applicability section uses the exact same terms as the definition of Covered Entity in 45 CFR 160.103.
Administrative Rule Applicability
The Administrative Rule in 45 CFR Part 162 contains its own Applicability section at 45 CFR 162.100 that tells us that Covered Entities must comply with the requirements of this rule by using the standardized health identifiers, code sets, and formats to transmit Covered Transactions.
The Administrative Rule does not directly apply to Business Associates; instead, it applies indirectly in two ways:
- A Covered Entity may use a Business Associate to conduct Covered Transactions, but if they do so the Business Associate and their subcontractors must be required to comply with the Administrative Rule as well (45 CFR 162.923(c)).
- When a covered health care provider uses Business Associates to conduct transactions on its behalf, the Business Associate must use the provider’s National Provider Identifier (NPI) (45 CFR 162.410(a)(5)).
This table shows simplified definitions for each Covered Transaction type with references to the source within the HIPAA regulations:
Transmission Contents | Transmitter(s) | Receiver(s) | Covered Transaction Type | Reference |
|---|---|---|---|---|
A request to obtain payment, and the necessary accompanying information for health care | Health care provider | Health plan | Health care claims or equivalent encounter information | |
If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care | Health care provider | Health plan | Health care claims or equivalent encounter information | |
An inquiry to obtain any of the following information about a benefit plan for an enrollee:
| Health care provider Health plan | Health plan | Eligibility for a health plan | |
A response to an inquiry described above | Health plan | Health care provider Health plan | Eligibility for a health plan | |
A request for the review of health care to obtain an authorization for the health care | Health care provider | Health plan | Referral certification and authorization | |
A request to obtain authorization for referring an individual to another health care provider | Health care provider | Health plan | Referral certification and authorization | |
A response to either of the requests described above | Health plan | Health care provider | Referral certification and authorization | |
An inquiry to determine the status of a health care claim | Health care provider | Health plan | Health care claim status | |
A response about the status of a health care claim | Health plan | Health care provider | Health care claim status | |
Subscriber enrollment information to establish or terminate insurance coverage | The sponsor of the insurance coverage, benefits, or policy | Health plan | Enrollment and disenrollment in a health plan | |
Any of the following:
| Health plan | Health care provider | Health care electronic funds transfers (EFTs) and remittance advice | |
Any of the following:
| Health plan | Health care provider | Health care electronic funds transfers (EFTs) and remittance advice | |
Any of the following:
| The entity that is arranging for the provision of health care or is providing health care coverage payments for an individual | Health plan | Health plan premium payments | |
For the purpose of determining the relative payment responsibilities of the health plan, either of the following for health care:
| Any entity | Health plan | Coordination of benefits |
Security Rule Applicability
The Security Rule in 45 CFR Part 164 Subpart C contains its own Applicability section at 45 CFR 164.302 that tells us:
- Covered Entities and Business Associates must apply the requirements of the Security Rule (the “except as otherwise provided” and “where provided” language from the subchapter Applicability section is omitted).
- The Security Rule specifically applies to a Covered Entity’s ePHI and therefore does not apply to PHI in non-electronic media.
With the exception of the clauses related to contracts and agreements between Covered Entities and Business Associates in 45 CFR 164.314, each of the Security Rule requirements also starts with “A covered entity or business associate must…”, making it clear that these requirements apply to both types of organizations. The clauses related to contracts and agreements contain additional details to clarify which terms need to be in which agreements.
There is some nuance to the definition of electronic media, upon which the definition of ePHI is based. See the blog post in this series on the definition of PHI for more details about the exceptions in the definition of ePHI.
Breach Notification Rule Applicability
The Breach Notification Rule in 45 CFR Part 164 Subpart D also contains its own Applicability section at 45 CFR 164.400, but this does not describe applicability to Covered Entities or Business Associates. (It just tells us that it applies to all breaches of PHI.) We must look to the individual requirements within the Breach Notification Rule to understand applicability.
The clauses about making breach notifications to individuals (45 CFR 164.404), the media (45 CFR 164.406), and HHS (45 CFR 164.408) do not apply to Business Associates because they all start with “A Covered Entity shall…” and make no mention of Business Associates.
Business Associates are required by 45 CFR 164.410 to notify the Covered Entity of a breach of the Covered Entity's PHI. Effectively, this means a Business Associate is responsible for notifying a Covered Entity of a breach, and the Covered Entity is in turn required to notify individuals, the media, and HHS as described above.
These clauses all refer to PHI so they apply to both electronic and non-electronic PHI.
Privacy Rule Applicability
The Privacy Rule in 45 CFR Part 164 Subpart E also contains its own Applicability section at 45 CFR 164.500. This subpart reverts to the applicability language used for all of Subchapter C and 45 CFR Part 164, indicating that Covered Entities must comply “except as otherwise provided” and Business Associates must comply “where provided”. This also tells us that the Privacy Rule only applies with respect to a Covered Entity’s PHI.
Section 45 CFR 164.500(b) applies some of the Privacy Rule requirements to health care clearinghouses that only handle PHI as a Business Associate, but health care clearinghouses that handle PHI in any capacity other than a Business Associate must still comply with all of the otherwise applicable privacy requirements.
Individual requirements and clauses within the Privacy Rule indicate whether they apply to Covered Entities or Business Associates. Some clauses begin with “Covered Entity:” or “Business Associate:” while others contain more nuanced applicability information in their text. When implementing the Privacy Rule, it is important to closely examine each clause to determine applicability.
These clauses all refer to PHI so they apply to both electronic and non-electronic PHI.