HIPAA Basics for Small Businesses: What You Need to Know

The Health Insurance Portability and Accountability Act, universally known as HIPAA, is one of the most consequential federal laws governing how health information is handled in the United States. Most people associate HIPAA with hospitals and doctors, and those entities are certainly covered. But HIPAA’s reach extends well beyond traditional healthcare providers. Billing companies, software vendors, data storage providers, transcription services, and a wide range of other businesses are subject to HIPAA obligations because of the role they play in handling health information on behalf of covered entities. Understanding whether HIPAA applies to your business — and if it does, what it requires — is essential for any small business operating anywhere near the healthcare industry.

What Is HIPAA and What Does It Protect?

HIPAA was originally enacted in 1996 and has been substantially expanded since then, most significantly by the Health Information Technology for Economic and Clinical Health Act in 2009. At its core, HIPAA establishes national standards for protecting certain health information from unauthorized use or disclosure. The information HIPAA protects is called protected health information, or PHI. PHI is any information that relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare to that individual, or the payment for healthcare provided to that individual, when the information can be used to identify the individual.

The definition of PHI is broad. It covers medical records, of course, but it also covers insurance claim information, billing records, appointment scheduling data, prescription records, lab results, and any other information that connects an identifiable person to a health-related fact. The identifying element is key: information about a medical condition is not PHI if it is stripped of all information that could be used to identify the person it relates to. But many businesses are surprised by how far the identification standard reaches. Name, address, date of birth, phone number, email address, Social Security number, account numbers, IP addresses, and even certain demographic combinations can all be identifiers under HIPAA.

Who Is Covered by HIPAA?

HIPAA applies to two main categories of organizations: covered entities and business associates.

Covered entities are the organizations at the center of the healthcare system. They include healthcare providers that transmit health information electronically in connection with certain standard transactions — which in practice means virtually every doctor, hospital, clinic, pharmacy, laboratory, and nursing home in the country. They also include health plans, including health insurance companies, HMOs, employer-sponsored group health plans, Medicare, and Medicaid. And they include healthcare clearinghouses, which are organizations that process non-standard health information into a standard format.

Business associates are where HIPAA reaches beyond traditional healthcare organizations into the broader economy. A business associate is any person or organization that performs functions or activities on behalf of, or provides services to, a covered entity and that involves creating, receiving, maintaining, or transmitting PHI in the course of doing so. The list of potential business associates is long: medical billing companies, claims processing vendors, electronic health record software providers, cloud storage services that host PHI, data analytics firms, transcription services, answering services, legal counsel, accountants, and many others may qualify as business associates depending on the nature of their engagement with a covered entity.

If your business provides any service to a healthcare organization and, in the course of providing that service, you create, receive, maintain, or transmit health information about their patients, you are almost certainly a business associate subject to HIPAA.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for the protection of PHI by covered entities and business associates. It sets out the conditions under which PHI may be used and disclosed, gives patients important rights over their health information, and requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect PHI.

The general principle of the Privacy Rule is that PHI may not be used or disclosed without the individual’s written authorization, with exceptions for specific purposes. The major exceptions include treatment, payment, and healthcare operations — collectively known as TPO — which cover the core activities of the healthcare system. PHI may also be disclosed without authorization for public health activities, law enforcement purposes under specific conditions, certain research purposes with appropriate protections, and a handful of other circumstances defined in the rule.

For most small businesses that are business associates, the practical implications of the Privacy Rule are: you may only use PHI for the purposes specified in your agreement with the covered entity, you may not use PHI for your own marketing or business purposes without authorization, you must provide PHI to the covered entity upon request so that patients can exercise their access rights, and you must implement administrative and technical policies to limit access to PHI to those who need it to do their jobs.

The HIPAA Security Rule

The HIPAA Security Rule applies specifically to electronic protected health information, called ePHI. It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.

Administrative safeguards are the policies and procedures organizations put in place to manage the selection, development, implementation, and maintenance of security measures. They include a risk analysis and risk management process, security awareness training for employees, a contingency plan for responding to emergencies, and policies governing access to information systems. The risk analysis is perhaps the most important administrative safeguard requirement: HIPAA requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of the ePHI they hold, and to implement security measures sufficient to reduce those risks to a reasonable and appropriate level.

Physical safeguards address the physical measures, policies, and procedures that protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. They cover workstation security, facility access controls, and device and media controls for hardware and electronic media that contain ePHI.

Technical safeguards are the technology and policies and procedures that protect ePHI and control access to it. They include access controls that limit system access to authorized users, audit controls that record and examine activity in information systems containing ePHI, and transmission security measures that protect ePHI when it is sent over a network.

Business Associate Agreements

One of the most concrete HIPAA compliance obligations that small businesses encounter is the business associate agreement, or BAA. Before a covered entity may share PHI with a business associate, HIPAA requires the parties to enter into a written agreement that establishes the business associate’s permitted and required uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, requires the business associate to report any breach or security incident involving the PHI to the covered entity, and requires the business associate to return or destroy the PHI at the end of the relationship.

If your business is a business associate, you should expect covered entities to require a BAA before engaging your services. If a covered entity asks you to sign a BAA, you should read it carefully: some BAAs include obligations that go beyond what HIPAA strictly requires, and some include limitations on your ability to use data in ways that might be important to your business. If you use subcontractors who will have access to the PHI you receive, you are also required to enter into a BAA with each of those subcontractors.

The Breach Notification Rule

HIPAA’s Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services, and in some cases the media when a breach of unsecured PHI occurs. Business associates are required to notify the covered entity of any breach without unreasonable delay and no later than 60 days after discovery.

A breach under HIPAA is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach unless the covered entity or business associate can demonstrate a low probability that the PHI has been compromised based on a four-factor risk assessment. Small businesses that experience a security incident involving ePHI — whether a ransomware attack, a phishing incident that exposed login credentials, a lost or stolen device, or an accidental disclosure to the wrong recipient — must conduct this risk assessment promptly and comply with notification requirements if the analysis does not overcome the presumption of breach.

HIPAA Penalties: The Stakes Are Real

HIPAA is enforced by the Office for Civil Rights within the Department of Health and Human Services, which investigates complaints and conducts compliance audits. Civil penalties range from $141 to more than $2 million per violation category per year, depending on the level of culpability. The Office for Civil Rights has assessed substantial penalties against covered entities and business associates of all sizes — including small practices and individual practitioners — for failures to conduct a required risk analysis, for impermissible disclosures, for failing to have proper BAAs in place, and for inadequate security controls.

In addition to federal enforcement, most states have their own health information privacy laws that may impose additional obligations or penalties. And patients who have had their PHI improperly disclosed may pursue complaints through the federal process, which can trigger investigations even against small businesses.

Getting Started with HIPAA Compliance

For a small business that has determined it is a covered entity or business associate, HIPAA compliance begins with a risk analysis. The risk analysis is not optional and is not a one-time exercise: it must be conducted initially and then reviewed periodically or whenever there are significant changes to the organization’s environment or operations. From the risk analysis, the organization develops and implements a risk management plan that addresses the identified risks, assigns responsibility for privacy and security compliance, trains employees on HIPAA requirements and the organization’s policies, and establishes processes for handling individual rights requests and breach incidents.

HIPAA compliance is not an all-or-nothing proposition for most small businesses. Implementing reasonable safeguards, maintaining appropriate policies, training employees, and having proper agreements with vendors and covered entities will significantly reduce both the risk of a breach and the risk of enforcement action if something goes wrong. The organizations that face the most severe consequences from HIPAA enforcement are typically those that knew about compliance obligations, failed to take them seriously, and then experienced a significant breach.