In this module, we start to talk about where the rubber hits the road. You understand the concept of compliance, why it's important, the principals involved, the trade-offs and more. Now we practice together putting this into action. HIPAA, as we've discussed, is the federal law aimed at protecting the privacy of health information. However, not all health information is protected under HIPAA. Only health information held by certain kinds of organizations is. One of the first questions any compliance professional should ask is, does this law apply to us? HIPAA regulates as described in the statute, covered entities. Covered entities include health care providers, but only those health care providers who are billing electronically or more technically correct, transmitting covered transactions electronically. These covered transactions largely have to do with billing. Well, if this is what a HIPAA-covered provider is, what kinds of providers are excluded? Generally, healthcare providers offering free services, such as free clinics, will not be HIPAA regulated. Also, health care providers that continue to bill using paper records, faxing, and mailing, and the like, are also not HIPAA-covered. How can that be? Why would the patients of those organizations deserve any less privacy than those in practices and hospitals that bill electronically? Well, it's not that there's a policy reason to treat these two populations differently. However, the statutory authority that Congress provided was built on the premise that increased electronic data-sharing facilitated by the new HIPAA administrative simplification provisions should come with additional privacy protections. In other words, sometimes the peculiarities and technicalities of a statute can dramatically affect whether an organization is subject to a compliance regime or not. In this case, whether patients have their privacy federally protected or not. Second, HIPAA also regulates health plans quite simply and with almost no qualifications at all. Again, here one must read the statute or at least the guidance from the agency to determine if any plans are exempt from the definition. Lastly, HIPAA regulates health care clearinghouses, a very narrow industry sector that actively engages in facilitating the standard transactions, the electronic billing that HIPAA was originally predominantly working to enhance. What about information sharing from a HIPAA-covered entity to someone else? Let's say a patient authorizes a hospital to share their health records with their employer, is their employer then in debt? Is their employer then bound by HIPAA? No. HIPAA again, only covers the activities of the covered entities. In fact, HIPAA requires that a compliant patient consent form actually state that the recipient of the information may not be bound by the privacy laws of the sender. What about information shared by a covered entity with a business partner of theirs such as a records released company or medical records software company? Well, there most of HIPAA requirements do apply. The law makes clear that a vendor accessing a covered entity's patient information to perform a function on their behalf is covered. The details of the business arrangement matter in this analysis and the regulations need to be read carefully. Let's look a little closer at what's in the scope of HIPAA and therefore what's not. Because of the very specific language that defines what types of organizations are bound to comply with HIPAA, we also can learn more about what organizations are not bound. For example, the multitude of health-related apps and devices, including wearable technology, are overwhelmingly not covered by HIPAA because the companies that operate them are not providers, payers, or health care clearinghouses unless they are in the role of business associates of covered entities. Because privacy in the US is essentially a patchwork of laws affecting certain sectors, it's especially crucial for any privacy professional or compliance professional handling privacy to determine what laws apply to what organization and sometimes only to certain activities of an organization. The impact of this careful read of scope is tremendous. Knowing whether the weight and consequence of a rather massive federal regulation applies to your organization will translate into you knowing what activities may be compliant or not, lawful or not.
