Justia Lawyer badge
AV Preeminent - Todd G. Cole
BBB badge
AVVO Top Attorney
SuperLawyers
Expertise - Divorce
Expertise - Employment
Client Champion 2023
AV Preeminent
Tennessee Trial Lawyers Association
Rated by Super Lawyers - Rising stars
Verified Lead Counsel

Is Your Tennessee Business Subject to HIPAA Regulations?

Cole Law Group, PC
Hippa Regulations

HIPAA is a complicated law with numerous provisions. HIPAA is the abbreviation of the 1996 Health Insurance Portability and Accountability Act, Public Law 104-191.1 HIPAA included provisions in the law that authorized the U.S. Department of Health & Human Services (HHS) to adopt national standards to protect the privacy of personal health information. HIPAA mandated that HHS take action that ensures privacy protection for individually identifiable health information.2 

According to the official HHS website, HIPAA requirements include those found in Public Law 104-191, a final privacy rule adopted in December 2000, a final Security Rule adopted in February 2003, an Enforcement rule, and an Omnibus Rule.3 An unofficial version of all HIPAA regulations is found in a combined regulation text on the HHS website.4 This unofficial version of regulations is 115 pages long. You may read the full regulations for yourself if you want. However, the purpose of this article is to provide a snapshot into what HIPAA is and the basic requirements it imposes on businesses.

First, it is important to note, that HIPAA does not impose requirements on all businesses. Instead it only applies to the following entities: “(1) A health plan; (2) A health care clearinghouse; (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter; or (4) an individual or “business associate” that provides certain services to a covered entity.”5

Thus, your business is only regulated by HIPAA to the extent that your business falls into one of the four above listed categories. The first three are fairly self-explanatory. Savvy business owners likely understand if their business falls within those categories. The more difficult determination is if your business is a “business associate” of one of the first three types of businesses. Business Associate is further defined in § 160.103 to include Health information organizations, someone that offers personal health records, and a subcontractor that “creates, receives, maintains, or transmits protected health information on behalf of the business associate.”6 § 160.103(4) carves out exceptions from the definition of business associates. These exceptions include: health care providers to the extent that they are disclosed information regarding treatment of the individual, plan sponsors when they disclose to a group health plan, a government agency, and other limited circumstances.7

Hypothetically, if your business contracts with a health care provider to provide database storage, would this use subject you to HIPAA requirements? Most likely, yes. Providing database storage may be determined to be a business associate, as your role would be to receive or maintain protected health information on behalf of your company’s client. Also, you should be able to determine who your customers are to determine if they are health care providers or other covered entities. What if your company provides generally applicable services, such as email available to the public, yet you do not contract directly with a heath care provider? Then the business owner would not have a contract that authorizes the business to create, receive, maintain, or transmit protected health information. Thus, that company should not be subject to HIPAA regulation.

Why Should My Company Pay Attention to HIPAA Compliance?

HHS takes their obligations to enforce HIPAA regulations seriously as evident by the large amount of HIPAA fines and settlements that have been handed out in recent years.8 There were 10 reported fines and settlements in 2018. Notably, Anthem, Inc. agreed to a $16,000,000 settlement for numerous HIPAA violations in October 2018. Anthem’s hefty fine was due to the extreme scale of a its 2015 data breach which affected around 78 million people being stolen by hackers.9

In many areas of the law, it is wiser to plan ahead and spend money on compliance than stick your head in the sand and risk an extreme penalty if you are caught. If you are unsure whether your business may have HIPAA compliance issues, you should read more on the subject and consider consulting with an attorney or hiring your own HIPAA compliance expert.

For much more detailed HIPAA information, I recommend reading the HIPAA Journal’s Compliance Checklist.10

_____________________________________

1 See https://www.hhs.gov/hipaa/for-professionals/index.html

2 See https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996

3 See https://www.hhs.gov/hipaa/for-professionals/index.html

4 https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

5 C.F.R. Part 160.102.

6 C.F.R. § 160.103.

7 C.F.R. § 160.103.

8 https://www.hipaajournal.com/summary-2018-hipaa-fines-and-settlements/

9 Id.

10 https://www.hipaajournal.com/hipaa-compliance-checklist/

Client Reviews

"Cole Law Group has been nothing short of spectacular for myself and family. Their knowledge and experience is a solid and valuable asset to have at one's disposal in today's world."

R.F.

"Communicative, collaborative, and professional to the core!"

J.K.

"A beacon of hope when my choices were limited (...). Not only were they able to look out for my best interest, but their calm and empathetic demeanor offered me both amazing legal advice and emotional support. I am eternally grateful for their service, and I wholeheartedly recommend Cole Law Group...

D.B.

"Now, as professionals, just astounding. There was such a calmness and a genuine strength that they exhibit because they simply know the law. It was amazing to see the back and forth of their work and never once be wavering or scrambling. There was not one time this entire process where I knew I...

M.Z.

"This group can get anything you need done! They can do just about any kind of court issues! When you hire these guys you will walk away feeling confident that they will get things done for you!"

S.G.

Excellent team, responsible, honest, accessible and above all human.

I.I.

Contact Us

  • White Bullet List Video Conferencing Available
  • White Bullet List Responsive Client Service
  • White Bullet List Fluent in Spanish
Fill out the contact form or call us at (615) 490-6020 to schedule your consultation.

Leave Us a Message