Who is required to comply with HIPAA laws?

Video 4 of 14
1 min 24 sec

In this lesson, we'll go over who's required to comply with HIPAA laws and the group the law directly applies to – covered entities. You may notice a bit of overlap from the lesson – What is HIPAA. Not to worry; it's all part of the secret sauce. Repetition is how we learn.

Covered entities include:

  • Healthcare providers
  • Health plans
  • Healthcare Clearing Houses

What is a Covered Entity?

A covered entity is any provider of medical or other health-related services, or a person that has access to protected health information. Examples include healthcare providers and health plans, but also organizations and individuals that provide billing services or are paid in connection with these services in the normal course of doing business.

What is a Health Plan?

A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare.

What is a Business Associate?

A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place:

  • A risk assessment plan
  • Proper training
  • Specific policies and procedures

Examples of business associates include:

  • IT vendors
  • Call centers
  • Court reporters
  • Cloud providers
  • Legal services providers
  • Suppliers and manufacturers with access to PHI and ePHI

Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA).

A Word About Protecting PHI at Workstations

At the end of the last lesson, we took a look at some guidelines and best practices for protecting PHI during communications, whether they be written, spoken, or electronic. In this section, we're going to tackle workstation use and workstation security and provide you with some guidelines for keeping them safe and secure.

Along with workstation use and workstation security, there are two other standards when it comes to HIPAA's Physical Safeguards for protecting PHI – facility access controls and device and media controls. (Which we'll likely address in detail at another time.)

HIPAA's Security Rule defines Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Workstation Use

The HIPAA Privacy Rule defines a workstation as any "electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment."

Inappropriate use of workstations increases a covered entities risk, including those pertaining to virus attacks and other breaches. To comply with the workstation use standard, HIPAA requires all covered entities to:

"Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation of class of workstation that can access electronic protected health information."

It should be noted that this workstation use standard also includes remote work environments – any work from a remote location (home, travel, satellite office) – where employees have access to ePHI.

Workstation Security

Workstation security is another standard that has been put in place to better protect PHI. This standard requires covered entities to:

"Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users."

So, what are some safeguards or guidelines that will help protect PHI and ePHI at workstations? What a well-timed question.

Computer Workstation Guidelines to Protect PHI

To help protect PHI at workstations, consider implementing the following strategies:

  • Use password protected screen savers, and turn off computers, or at least log out of the network when not at your desk.
  • Position computer monitors so they are not visible to others.
  • Secure workstations and laptops with passwords.
  • Change passwords on a regular basis.
  • Do not leave laptops, other work-related devices, or PHI visible or unsecured in a car, home office, or in any public areas.
  • Ensure that all PHI – including that used outside of the work environment – is protected using appropriate measures such as being stored in locked desks and file cabinets.
  • Never remove original copies of PHI without your supervisor's approval.
  • Store files that contain PHI on a secure server; not on your workstation hard drive.