The Impact of HIPAA Privacy Rules



Health insurance companies, health care providers and employers that sponsor health plans all need to comply with HIPAA Privacy Rules. This Risk Insights discusses how some organizations that are not directly regulated by HIPAA have been surprised by the impact these regulations are having on their business practices.

HIPAA Privacy Rules limit the use and disclosure of protected health information by health plans, health care providers and health care clearinghouses (Covered Entities).

Protected Health Information (PHI) is personally identifiable health information created or received by a Covered Entity for purposes of treatment or payment of health care. Covered Entities may use and disclose PHI for treatment, payment or health care operations. Any other use or disclosure requires the Covered Entity to enter into a business associate contract or obtain the patient’s written authorization.

Organizations that are not directly regulated by HIPAA are required to enter into a business associate contract when they require access to PHI to perform services on behalf of a Covered Entity. When an organization enters into a business associate contract, it agrees to comply with many HIPAA Privacy administrative requirements imposed on Covered Entities. For example, brokers securing malpractice insurance on behalf of physicians have been asked to sign a business associate contract.

Although workers’ compensation and short-term disability insurance carriers are not regulated by HIPAA, these carriers must obtain the applicant’s written authorization before a health care provider can release PHI to the carrier. Some carriers are routinely requiring that all applicants sign an authorization. An authorization provided pursuant to the HIPAA Privacy Rules cannot be incorporated into any other document. Generally, information released to a third party under a written authorization is no longer protected by the HIPAA.

Organizations that regularly need to access medical records or use PHI to perform services on behalf of a Covered Entity should become familiar with the HIPAA Privacy Rules. Unfamiliarity with HIPAA regulations could result in legal compliance issues and/or a disruption of service to your customers.