Let’s Talk About HIPAA

Written on .

A lot of people talk about HIPAA, but how many of them have actually read the law? Not very many, from what I have seen and heard people say about HIPAA. Let’s set the record straight.

HIPAA rules do not apply to all communications that may involve health information. As we pointed out in an earlier blog post, that means that an inquiry about your vaccination status will probably not violate HIPAA.

Entities that must follow the HIPAA regulations are called “covered entities.”

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, “business associates” of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. These entities are called “business associates.” Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.

If you do business with a covered entity and are presented with a Business Associate Agreement–read it! Some of them can be quite broad and contain language that goes beyond the requirements of HIPAA.

Who Is Not Required to Follow These Laws

Many organizations that have health information about indivuduals do not have to follow these laws.

Examples of organizations that do not have to follow the Privacy and Security Rules include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

What Information Is Protected 

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws

How This Information Is Protected

  • Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
  • Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

This may be more than you wanted to know about HIPAA. But if you want to dig even deeper into HIPAA, you can visit www.hhs.gov.

Principal | Email: kjj@wimlaw.com
Kathleen J. Jennings is a principal in the Atlanta office of Wimberly, Lawson, Steckel, Schneider, & Stine, P.C. She defends employers in employment matters, such as sexual harassment, discrimination, Wage and Hour, OSHA, restrictive covenants, and other employment litigation and provides training and counseling to employers in employment matters.

Get Email Updates

Receive newsletters and alerts directly in your email inbox. Sign up below.

Recent Content

Women signing papers at a table indoors

Trump Regulation Requiring EEOC to Conciliate Rescinded

The current administration has moved rapidly to eliminate the Trump administrators, even during the terms of their employment, and to eli...
Port-au-Prince, Haiti - Outdoors, houses on the hillside

TDPP Extended for Six Countries

More than 400,000 citizens of six foreign countries who live and work in the U.S. under Temporary Protected Status (TPS) are able to stay...
a group of people protesting outdoors, with jackets in the cold

Issues Related to Safety and Work-related Issues, Pertaining to Walk-outs, Sit-ins, Protests, Etc

The current situation is an appropriate time to remind employers of their obligations under federal laws dealing with not only safety pro...
Covid Vaccine Clinic, Parking Sign, Outdoors

Biden Issues Executive Order Attempting to Require Covid Vaccination & Testing

In what many consider President Biden's most bold move regarding COVID-19, he issued an Executive Order on September 9, 2021 in an effort...
candles burning on a rack indoors in the dark

Dealing With Religious Objections to a COVID-19 Vaccine Requirement

In our discussions of rules mandating COVID-19 vaccines, we’ve mentioned the two possible exemptions to a vaccine requirement: disability...
yellow rubber gloves on hands reach high

Protected Concerted Activity in the Era of COVID-19: What Employers Need to Know

The National Labor Relations Board (NLRB) is one of the federal agencies that many employers do not have on their radar. The NLRB is most...

Wimberly, Lawson, Steckel, Schneider & Stine

3400 Peachtree Road, Ste 400 / Lenox Towers / Atlanta, GA 30326 /404.365.0900

Where Experience Counts


Thank you for visiting the firm's website. Please note that this website is intended for general information purposes only and does not constitute an offer of representation or create an attorney-client relationship with the firm. The firm welcomes receipt of electronic mail but the act of sending electronic mail alone does not create an attorney-client relationship. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include the firm's copyright notice.

© 2020 Wimberly, Lawson, Steckel, Schneider & Stine P.C. | Site By JSM