If you handle protected health information in any capacity, you need to be aware of HIPAA regulations since failure to comply can lead to federal investigations or fines. Follow this decision tree to assess whether you need to become HIPAA compliant or not.
A Covered Entity is a healthcare provider, health plan, or a healthcare clearinghouse that handles medical information which can identify an individual, called protected health information (PHI), as defined under HIPAA law (§160.103). Examples include hospitals, pharmacies, digital clinics, doctors' offices, health insurance companies, and medical billing services.
Are you a healthcare provider, health plan, or healthcare clearinghouse?
A Business Associate is a vendor or subcontractor who handles PHI on behalf of a Covered Entity or on behalf of another Business Associate, as defined under HIPAA law (§160.103). Examples of Business Associates include AI medical scribes, cloud service providers, data processing companies for clinical trials, AI phone call agents, and electronic health record system providers.
Do you handle PHI on behalf of Covered Entities or another Business Associate?
If you handle PHI that can identify a patient, you need to become HIPAA compliant. However, if the PHI does not contain any of the 18 identifiers below, which are defined by HIPAA’s Safe Harbor provision (§164.502(d), §164.514(a)-(b)), and the information still cannot be used to trace back to the individual it belongs to, then you are exempt from HIPAA regulations.
18 identifiers defined by the Safe Harbor provision:
Do you collect, store, or transmit PHI that isn’t de-identified according to the Safe Harbor provision?
Yes, you need to be HIPAA compliant. An AI phone calling service that assists healthcare providers in scheduling appointments, providing patient reminders, and communicating health-related information would need to become HIPAA compliant because it handles PHI during these phone calls and is used at hospitals and clinics (Covered Entities).
Yes, you need to be HIPAA compliant. An AI medical scribe that assists healthcare professionals in transcribing and documenting patient visits should be HIPAA compliant as it processes PHI to generate medical notes and is used by providers, clinicians, and hospital workers (Covered Entities).
You might need to be HIPAA compliant. Because many therapists do not accept insurance payments or conduct certain forms of electronic transactions, they might not be Covered Entities and hence might not be subject to HIPAA regulations. However, those that do accept insurance need to comply with HIPAA. Additionally, some therapists still choose to adopt HIPAA compliant practices because of the sensitive nature of information discussed during therapy sessions.
No, you don’t need to be HIPAA compliant. A fitness app or wearable that tracks workouts, dietary habits, or overall health metrics (such as Fitbit or Apple Watch) does not need to be HIPAA compliant. The data captured and analyzed by these apps, including steps, calories burned, or sleep patterns, falls outside the jurisdiction of HIPAA protections, as these apps are typically consumer-facing and are not run by healthcare providers or clinics (Covered Entities).
Prioritizing HIPAA compliance is vital in the healthcare industry to uphold data security standards and maintain trust with clients. HIPAA regulations apply to (1) Covered Entities, which are healthcare providers, plans, and clearinghouses, and (2) Business Associates, which process PHI on behalf of Covered Entities or other Business Associates.