Skip to main content

The In’s and Out’s of HIPAA Regulation

by Benjamin Orsatti, Associate General Counsel & Senior HR Consultant, East Coast Risk Management

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a complex beast in the world of HR. Lawyers and HR professionals are among the few who are equipped to understand what this law requires and to whom those requirements actually apply. To that point, the law is limited to three separate “classes” of entities, each of which having somewhat different duties to safeguard protected health information.  Those classes are Covered Entities, Business Associates, and Subcontractors.  Is your business properly classifiable as one of these three entities? 

The Rules for Handling Protected Information

The three types of HIPAA regulatory obligations with respect to use and disclosure of protected health information (“PHI”) and electronic protected health information (ePHI) are “Privacy”, “Security”, and “Breach Notification” – and Covered Entities are subject to all of them. 

The Privacy Rule obliges Covered Entities to:

  • Notify individuals about their privacy rights and how their information can be used
  • Secure records involving health information
  • Adopt and implement privacy procedures as well as train all workforce members on these procedures

The Security Rule requires Covered Entities to:

  • Ensure the confidentiality, integrity, and availability of all ePHI that the entity creates, receives, maintains, or transmits
  • Ensure compliance throughout the Covered Entities’ workforce
  • Protect against reasonably anticipated ePHI security threats and forbidden uses or disclosures

 NOTE: Within the Security Rule are three general categories of “safeguards”, which themselves are further subdivided into specific “standards”, which are then broken up into particular “implementation specifications.”  

 The Breach Notification Rule:

  • Is more or less a “damage control” requirement that Covered Entities give notice to individuals, the Department of Health and Human Services, and the media, in the event of any unauthorized acquisition, access, use, or disclosure of PHI or ePHI.


Covered Entities

Following the rule of three, a Covered Entity will be either a health plan, a health care clearinghouse, or a health care provider. The government’s Centers for Medicare and Medicaid Services offer a flowchart to help determine if an entity may be one of the previously listed types of Covered Entity. For now, the category health plan lists: health insurance companies, health maintenance organizations (“HMO”), Medicare, Medicaid, or other government health programs, and employer-sponsored group health plans.

NOTE: An employer that sponsors a group health plan, will not be bound by HIPAA as a covered entity unless the employee carries out administrative duties for the plan. For example, say an employer runs its own wellness program- if those duties involve the employer’s access to information that is “created, received, or maintained in connection with an employer’s group health plan,” then the Privacy (PHI) or Security (ePHI) rules will apply, as well as HIPAA’s non-discrimination rules. For insight into what qualifies as “PHI,” or “ePHI,” please refer back to our previous article regarding the maintenance and confidentiality of medical information and records.

A good “rule of thumb” is that HIPAA really only comes into play when the information in question discloses the identity of a specific person. HIPAA does not come into play when dealing with certain types of Workers’ Compensation data or pre-employment physicals– rather, regulations refer to this kind of information as “de-identified health information.”


Business Associates

Covered Entities rarely work alone, and oftentimes enter into agreements with other entities, which, at times, can come into possession of the covered entities’ PHI or ePHI. Those contracted entities are known as “Business Associates,” and they too fall under part, but not all, of HIPAA’s regulatory structure.

A Business Associate is directly responsible for compliance with some of the Privacy requirements, and all of the Security requirements, and may be directly or indirectly responsible for compliance with the Breach Notification requirements.

   Responsibilities include:

  • Claims processing or administration (e.g., third-party administrators (TPAs) and pharmacy benefit managers)
  • Data analysis, processing, or administration (e.g., cloud service providers, unless data is limited to “de-identified” information)
  • Utilization review and quality assurance
  • Certain patient safety activities
  • Billing, practice management, and repricing
  • Providing services to covered entities involving PHI, such as:
    • Legal, actuarial, accounting, consulting, data aggregation, management or administrative, accreditation and financial

For example, a health information exchange, regional health information organization, e-prescribing gateway, or vendor that offers the workforce members of a Covered Entity access to personal health records would all likely be classifiable as “Business Associates.”


It may seem as though everybody doing business with a Covered Entity are “business associates” in some form or another, but there are exceptions. For example:

  • Members of a Covered Entity’s workforce, are not Covered Entities, nor are they Business Associates even if their employer’s policies may require them to report known violations of HIPAA’s privacy and security rules
  • Financial institutions through whom health care transactions may be processed are not Covered Entities unless they themselves are directly involved in “creating, receiving, maintaining, or transmitting” PHI or ePHI
  • Private couriers and their electronic equivalents are not Business Associates. Although they transport information, they do not access it, except on a “random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law”.
  • Janitorial or cleaning services whose employees may be disposing of a wastepaper basket in which may be PHI are not Business Associates for very much the same reasons; however, a document or media shredding company would be.

Business Associate Agreements

Covered Entities are required by law to compel any Business Associates with whom they deal to enter into a “Business Associate Agreement”, setting forth each party’s obligations under HIPAA. What’s important to remember is that it is the act of creating, receiving, maintaining, or transmitting PHI or e-PHI that makes an entity liable as a Business Associate, regardless of whether or not there may exist an actual Business Associate Agreement.



HIPPA obligations “flow” downstream from Covered Entities to Business Associates to Subcontractors, who themselves become Business Associates by having created, received, maintained, or transmitted PHI or ePHI on behalf of other Business Associates.

Although the employees of a Business Associate are not directly obligated under HIPAA, other vendors, agents, or individuals acting on a Business Associate’s behalf as well as Business Associates themselves are required to obtain assurances from their subcontractors stating that they will comply with HIPAA to the same extent as any other Business Associate. In turn, those subcontractors must obtain satisfactory assurances from their own subcontractors or agents, no matter how far “downstream” the protected information may “flow.”

If you are an employer with questions about this or any issue relating to safety, human resources or workers’ compensation, contact East Coast Risk Management by calling 724-864-8745 or emailing us at

Disclaimer: The information provided on this web site is for informational purposes only and not for the purpose of providing legal advice. Use of and access to this Web site do not create an attorney-client relationship between East Coast Risk Management or our employment law attorney and the user or browser.