Who Should be HIPAA Compliant
Official rules specify who needs to be HIPAA compliant. The guidelines state that compliance is required of both Covered Entities (any healthcare provider, health plan or healthcare clearinghouse) and Business Associates (any company that comes in contact with electronic protected health information [e-PHI]).
According to the U.S. Department of Health and Human Services, all of these companies are known and referred to as Covered Entities (CE). Individuals, organizations and agencies that meet the definition of a Covered Entity under HIPAA must comply with the HIPAA encryption requirements to protect the privacy and security of health information and must provide patients with certain rights with respect to their health information.
A Covered Entity is one of the Following:
A Healthcare Provider
- Nursing Homes
A Health Plan
- Health Insurance Companies
- Company Health Plans
- Government programs that pay for healthcare, such as Medicare, Medicaid and the military and veterans’ healthcare programs
- Flexible Spending Accounts
- Entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content or vice versa)
- Billing Services
- Repricing Companies
- Community Health Management Information Systems
Covered Entities must sign Business Associate Agreements with any vendor who, in working with healthcare companies, has any contact with their sensitive patient data. In this manner, any vendor who comes in contact with e-PHI is either a Covered Entity, or by contract, a Business Associate.
A BUSINESS ASSOCIATE IS ONE OF THE FOLLOWING:
Internet Technology Providers
- Hosting Companies
- Managed Service Providers
- Hardware/Software Support/Maintenance
- Software as a Service
- Customer Relationship Management
- Human Resource Management
- Application Services (email, database)
Financial Service Providers
- Revenue Cycle Management
- CPA Firms and Accounting Services
- Claims Processing
- Consultative Services
- Medical Transcription Services
- Document Destruction
- Accreditation Services
- Data Aggregation
- Records Management
- Record Copying/Duplication
- Attorneys with access to protected health information
Whenever OnRamp’s services are used by healthcare companies or their Business Associates, OnRamp enters into a cooperative relationship to ensure that the appropriate measures are taken to protect the availability, integrity and confidentiality of the customer’s sensitive patient data. OnRamp works closely with each customer who deals with e-PHI to ensure that, collectively, OnRamp and the customer are adequately maintaining the proper configurations, processes and procedures to protect that data appropriately. OnRamp has invested extensive resources, infrastructure, time and training to ensure that our HIPAA Compliant Hosting solutions, when deployed by our customers, meet the rigorous HIPAA compliance standards.
FOR MORE HIPAA INFORMATION
Please refer to our HIPAA Glossary page for clarity on specific HIPAA definitions. Also see our our HIPAA Resources for further information about HIPAA Compliance. If you would like personalized assistance, contact us today for expert guidance on how to become HIPAA compliant.