NOTE: This blog includes discussions and explorations of legal issues. The content is intended for educational purposes only, and is not intended to be legal advice. You should always consult with a licensed attorney before taking any action that could affect or impair your legal rights.
This post is intended for people like patient advocates that have medical knowledge, but who might be unfamiliar with the statutory and regulatory frameworks associated with the services they provide. The phrase “PHI” and “HIPAA” are probably mentioned on a regular basis, but what are they and what do they mean for people that are in fields adjacent to providing health care? How is the information handled after it has been created and connected to an individual (i.e., a patient)? A good place to start is to form a basic understanding of what protected health information (“PHI”) is.
What is PHI? Is any type of medical information considered to be PHI? “How medical” does the information have to be, to be considered PHI? “How much” of a document has to contain medical information, for HIPAA to apply to the document? If the information is in the form of an audio recording, rather than written (or typed) out, does that mean the record is not subject to HIPAA? What is HIPAA?
While the ultimate motivation for answering those questions is extremely important, those frameworks are, altogether, not really accurate (or helpful) ways for determining the answer to those questions. By starting from the basics, it becomes easier to strip away assumptions that often muddy these types of questions.
First off, “HIPAA” is the acronym for the Health Insurance Portability and Accountability Act of 1996. It has been amended several times since then, but for those worried about a diversion into the history of the law, you need not worry. The historical fact perhaps most relevant to today’s post is that the acronym has never been “HIPPA.” There is only one P, but there are two A’s, so you should always check your auto-correct to avoid looking silly.
The next thing to know is that “health information” is “any information, whether oral or recorded in any form or medium. . . .” That means it does not matter if the information is stored as mental notes of an audio recording on a digital recorder or scribbled down on the backside of a napkin. Now of course, “health information” is not just “any information;” it is information that has been “created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or [a] health care clearinghouse . . . .” The information can be narrowed down again: simply being “created or received by” those entities does not automatically categorize the information as “health information.” The information must “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.” From a definitional standpoint, what constitutes “health information,” tends to encompass about what you might expect, but from a legal standpoint, the impact of this classification tends to be far more limited.
The cause of that limited impact comes from to whom HIPAA (and its subsequent amendments) applies. HIPAA applies to “covered entities” and “business associates,” as well as a third quasi‑category, known as “hybrid entities.”
What constitutes a “covered entity?” Saying “an entity that is covered,” wouldn’t be very helpful, but thankfully, HIPAA lists three “persons” to whom it applies: “health plan[s],” “health care clearinghouse[s],” and “health care provider[s] . . . .” A health plan is “an individual or group plan that provides, or pays the cost of, medical care.” A health care clearinghouse is “a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” And a health care provider is “a provider of services (i.e., “a hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, [or] hospice program”), a provider of medical or other health services ([which is a long list defined at 42 USCS § 1395x(s)]), and any other person furnishing health care services or supplies.” In summary, a covered entity is, generally speaking, a plan that will pay for your medical care; an entity that handles your health information; or someone that provides you with health care, medical, or other health services.
The level of sophistication that is often required to make everything work “on the back‑end” for covered entities often requires that they contract with people specialized in those operational aspects. Inevitably, many of these contractors will handle or interact with information that a covered entity is required to protect. In order to ensure that the protections that are supposed to be provided by HIPAA to patients is maintained — and to ensure that covered entities are not penalized for the commercial reality that they cannot be experts in all things (e.g., database infrastructure, cybersecurity, etc.) — Congress established a category of persons that, while not ordinarily considered a covered entity, would nevertheless, be generally held to the same standard as a covered entity, when dealing with PHI. This group of persons is referred to as “business associates.”
A business associate might appear to do the work that an employee of the covered entity might do, but a business associate is never an employee of the covered entity. They often provide administrative or professional services for the covered entity. In some cases, a covered entity can be a business associate of another covered entity. Take for instance, a health care clearinghouse — a covered entity in its own right — that a hospital — again, a covered entity in its own right — contracts with, to process PHI. In that case, the health care clearinghouse would be the business associate of the hospital.
A good way to keep straight the concepts of a covered entity and a business associate is to think about where the PHI originates (in the regular course of business), and then which entity receives that information — which they ordinarily wouldn’t receive, except for some work or job they are doing on behalf of the entity where the PHI originates.
A hybrid entity is “a legal entity that performs business activities that are governed by HIPAA as well as business activities that are not governed by HIPAA.” That may sound confusing or rare at first, but if you stick to the basics, rather than allowing your imagination to fill the void between the “expanse” of business activities that are governed by HIPAA, as well those that are not, it can actually be rather common. A good example of an entity that can participate in both activities would be a prison.
The first thing that comes to mind when describing a prison’s function is probably not health care, but there is a component of a prison that does provide health care. Inmates still require health care, and while more complex procedures might still require a visit to a conventional hospital, more basic care can still be provided on the premises of the prison. Doctors and nurses might be employees of the prison, and guards can become privy to an inmate’s PHI while monitoring that inmate. That health care component of a hybrid entity — a prison in this case — effectively, has to act as if it is a legally separate entity from the remainder of the entity that does not perform “covered functions.” That means, for example, PHI cannot be shared with the rest of the hybrid entity that does not perform “covered functions,” such as other guards at the prison.
One last note about “hybrid entities.” The “hybrid” aspect of the entity does not refer to the potential to be both a covered entity and a business associate (the “business associate” aspect never comes into the equation). The “hybrid” characterization refers to the ability for the entity to be considered both, a covered entity and not a covered entity, simultaneously.
First off, nothing here should be read to mean that you can or should treat information relating to health matters carelessly — whether you are a covered entity, a business associate, a hybrid entity, or you do not fall into any of those categories. Not only is that a matter of respect for a fellow human being, it is also important for the purpose of limiting your legal liability, as HIPAA is not the only law out there that can protect an individual’s information (and punish those that fail to do so).
Secondly, and perhaps ultimately, legal questions having to do with HIPAA and how to handle PHI can be dense, but they are not totally indecipherable. Just because information has to do with health matters or because it originates from a person working in a health or medical field, does not necessarily mean it will be subject to HIPAA. Nevertheless, there can be many overlapping purposes and origins for information related to health matters, so it is important to remain vigilant and to seek counsel when questions arise.
There are actionable guidelines that can be followed that can aid compliance with HIPAA in an increasingly technological and interconnected world. Just because someone works in the medical or health care field, does not mean that they should necessarily know the ins and outs of HIPAA (and that is nothing to be ashamed of). If you have questions related to complying with HIPAA or other health care information, Berger Law can help you navigate your way through.
 42 U.S.C.S. § 1320d(4) (Lexis Advance, current through Public Law 116-135).
 42 U.S.C.S. § 1320d(4)(A) (Lexis Advance, current through Public Law 116-135).
 42 U.S.C.S. § 1320d(4)(B) (Lexis Advance, current through Public Law 116-135).
 See 42 U.S.C.S. § 1320d-1(a) (Lexis Advance, current through Public Law 116-138) (stating the “[a]pplicability of “standard[s] adopted under this part . . . .”).
 42 U.S.C.S. § 1320d(5) (Lexis Advance, current through Public Law 116-138).
 42 U.S.C.S. § 1320d(2) (Lexis Advance, current through Public Law 116-138).
 42 U.S.C. § 1395x(u) (Current through Public Law 116-147).
 42 U.S.C.S. § 1320d(3) (Lexis Advance, current through Public Law 116-138).
 See 45 C.F.R. § 164.103 “business associate”(1)(i) & (ii) (2020) (referring to persons “other than in the capacity of a member of the workforce of such covered entity”).
 See 45 C.F.R. § 164.103 “business associate”(1)(i) (2020).
 See 45 C.F.R. § 164.103 “business associate”(1)(ii) (2020).
 45 C.F.R. § 164.103 “business associate”(2) (2020).
 Warren v. Corcoran, No. 9:09-CV-1146 (DNH/ATB), 2011 U.S. Dist. LEXIS 135012, at *21 n.17 (N.D.N.Y. Oct. 20, 2011)
 45 C.F.R. § 164.105(a)(2)(ii) (2020).