Who Must Be HIPAA Compliant?
The HIPAA Rules apply to two groups: covered entities and business associates. A covered entity is a health plan, health care clearinghouse, or health care provider who electronically transmits any health information. Examples of covered entities are:
- Doctors
- Dentists
- Pharmacies
- Health insurance companies
- Company health plans
A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. Examples of business associates (whose services include access to PHI) are:
- CPA
- Attorney
- IT providers
- Billing and coding services
- Laboratories
HIPAA violations are expensive. The penalties for non-compliance are based on the level of negligence. They can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.