Who Must Comply With HIPAA

In order to understand who must comply with HIPAA, it is important to become familiar with the terminology. (See the Table of HIPAA terms for definitions). Any healthcare provider, health care clearinghouse or health plan (such as an insurance company) must comply with HIPAA. The HIPAA regulations refer to the healthcare providers required to abide by HIPAA as covered entities (CE). Dental practices that bill electronically for their services are covered entities and must comply with HIPAA. If a healthcare provider does not bill a federal program (Medicare, Medicaid, etc) for healthcare services that provider is not considered a CE and does not have to comply with the HIPAA regulations. Even if a dental practice submits paper claims, one of the goals of HIPAA regulations is to require all healthcare providers to submit claims electronically for reimbursement by federal programs. In the future, most health care providers will be required to submit electronic claims. Consequently most healthcare providers are voluntarily complying with the HIPAA regulations.

All covered entities use protected health information, (PHI) for patient treatment, operational needs of the organization, and for payment purposes. PHI includes medical and dental records, information about the patient in billing records and administrative files such as quality review studies and reports. Patient information in paper form, computer systems or reports must be protected.

Healthcare providers rely on other companies and individuals to provide certain contracted services for them. HIPAA also requires covered entities (CE) to protect patient information they share with companies and individuals that are not CEs. The HIPAA regulations call these other companies or individuals “business associates” of the healthcare provider. Common examples of business associates of dental practices include dental labs, medical labs, microfilm services, off-site storage companies, billing companies, collection agencies and shredding services. Although business associates are not themselves considered covered entities and are not required to comply with HIPAA, covered entities are required to formalize agreements or contracts with these companies that include specific language to obligate the business associate to protect the privacy of health information shared by the covered entity in order to accomplish the services. All of these companies perform services that require access to confidential patient information called in the regulations “protected health information” or PHI. By April 14, 2004, all of the existing contracts with business associates must contain specific language required by HIPAA and any new contracts signed between now and April 2004, must include the language. The sample business associate language is posted on the OCR web site.

.