Who is required to protect your medical information under HIPAA?
Health care entities that are required to protect your privacy under HIPAA include:
- Health care providers: Every health care provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions, including claims, benefit eligibility inquiries, referral authorization requests, and other transactions under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care (e.g., health, dental, vision, and prescription drug insurers; Medicare; Medicaid; Medigap insurers; long-term care insurers (excluding nursing home fixed-indemnity policies); employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans).
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform functions, activities, or services including claims processing, data analysis, utilization review, and billing.
Employers are generally not covered under the HIPAA privacy rule, but other federal laws protect the privacy of medical information at work (e.g., ADA, FMLA, etc.) For more information, see the Quick Guide to Disclosure, Privacy, & Medical Certification Forms.