SUPPORT | March 1

Federal HIPAA Law: Not Just for Doctors to Worry About

Millions of newly impacted Business Associates are now affected by the Omnibus Rule and are scrambling to understand HIPAA.

accountable staff

If you work within the US health industry, you need to be familiar with the Health Insurance Portability and Accountability Act of 1996.

The Health Insurance Portability and Accountability Act dictates the standards for protecting private patient data that any and all professionals who work with medical or health-related information must adhere to.

What Does Federal HIPAA Law Mandate?

Federal HIPAA law defines:

  • Who can access protected health information (PHI)
  • How these individuals can access it
  • Safeguards for storing and sharing this information physically and electronically

Federal HIPAA law also mandates that health-related organizations institute policies and procedures to ensure the above-mentioned protocol is followed at all times, as well as implement fail-safes to mitigate the detrimental effects of a data breach.

Now that we have a much clearer understanding of what HIPAA is and what the law entails, let’s take a look at who the laws apply to.

Who Does HIPAA Apply To?

The short answer to this question is: anyone who, in a professional capacity, comes into contact with PHI that belongs to another person. The professionals HIPAA applies to generally fall into two broad categories:

  • Healthcare organization staff members
  • Third-party business associates of healthcare organizations

The following sections will dig deeper into who exactly falls into either of these categories, as well as how and why these individuals must follow HIPAA protocol.

Healthcare Organizations

The more obvious of the two categories of professionals that HIPAA applies to is those who come into direct contact with patients on a daily basis. This includes any employee or volunteer working in, as, or with:

  • Hospitals
  • Clinics
  • Regional healthcare service organizations
  • Individual practitioners

HIPAA regulations apply to more than just the doctors and nurses working within these parameters, too. Receptionists, secretaries, and other clerical staff who come into contact with PHI must adhere to the same standards the chief of medicine within an organization must adhere to.

HIPAA also applies to employees and volunteers who may incidentally come into contact with PHI – even if their duties have nothing to do with such information. For example, a custodian may pick up a folder with private patient information, or a computer technician may come across digital data while working on a software issue; in both of these cases, the worker is bound by HIPAA to keep the information they might have seen private.

Managers of healthcare organizations need to be absolutely sure that all of their employees understand HIPAA laws and protocol. Even the most seemingly innocuous or innocent breach of the policies and procedures set by the law could result in major sanctions being levied against the entire organization. If you work within a covered entity in any professional capacity, you’re required by law to undergo specific training regarding HIPAA laws and regulations.

Business Associates and Subcontractors

The information in the previous section is pretty straightforward: if you work or volunteer in any capacity within a medical facility, the laws of HIPAA apply to you.

But federal HIPAA laws also apply to any entity, organization, and individual whose professional responsibilities include working with patients’ Personal Health Information.

Like most large companies, hospitals, clinics and other organizations often employ third-party business associates to take care of certain non-health related duties – such as:

  • Legal issues
  • Actuarial duties
  • Accounting
  • Consulting
  • Data aggregation
  • Administrative tasks
  • Accreditation
  • Financial services

The most common duties these entities perform are jobs such as:

  • Claims processing and administration
  • Data analysis
  • Quality assurance
  • Billing
  • Benefit management
  • Repricing

To illustrate why these firms must follow HIPAA protocol when working with a health-related organization, consider the following examples:

  • An attorney providing legal services to a health plan
  • A consultant performing utilization reviews
  • A CPA providing accounting services to a healthcare provider
  • A freelance medical transcriptionist typing prescriptions
  • A temp agency connecting custodial workers with employment
  • A tech company hired to repair an organization’s computers

In each of these situations, a breach of HIPAA protocol could be incredibly detrimental to the patient whose information becomes exposed, the organization who allowed it to be exposed, and the hospital or clinic responsible for safely storing and sharing the information. Depending on the severity of the breach and the culpability of the responsible entity, a breach of HIPAA protocol may result in heavy fines for an organization and even possible jail time for the individuals involved.

The HIPAA omnibus rule, enacted in 2013, extends the reach of HIPAA even further to include individuals subcontracted by business associates such as the ones mentioned above. Consider the following example:

A hospital hires an accountant to balance the organization’s books. The accountant hires an assistant to collect monetary information from the hospital throughout the year, and also pays a colleague a small fee to look over his finished work at the end of the year to ensure accuracy. He then asks his secretary to send the completed file over to administration at the hospital.

Through every step of this process, each individual involved must be informed in writing of proper HIPAA protocol:

  • The assistant needs to secure the data while transporting it from the hospital to his boss’ office.
  • The accountant’s colleague must understand the information is protected by law and cannot be divulged elsewhere.
  • When sending the file back to the hospital, the secretary must ensure the file is encrypted and will only be received by the hospital’s administrative team.

No matter how incidental some contact with PHI may seem, according to HIPAA each step must be tracked to ensure patient privacy and proper chain-of-custody at all times. To make sure this occurs, each subcontracted entity must sign a business associate agreement with the company that has hired them.


The purpose of HIPAA regulations is simple: keep patient information private and secure.

But putting this into practice isn’t nearly as straightforward.

As more individuals in various professional capacities become privy to large amounts of PHI, HIPAA laws must to expand to ensure all parties involved follow proper protocol at all times.

Rule of thumb: if your organization deals with private health information in any way, you can be sure you are bound by HIPAA laws.

If your healthcare organization works with a number of business associates, you need to make sure they’re remaining compliant. Use Accountable’s Business Associate’s Agreement templates to quickly draw up the guidelines your associates must follow while working with your organization.