Is your business affected by HIPAA regulations?

Not sure if you should be concerned about HIPAA regulations? It’s time to start thinking about it if you haven’t already: on March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”


How does this affect your business? Well, if you’re a covered entity or a covered entity’s business associate you could, of course, be selected for auditing. But even if you don’t draw the short straw when it comes to being audited, you can still face liability costs if you’re found to be out of compliance. According to an April Bloomberg BNA article, New York-Presbyterian Hospital reached a $2.2 million settlement with the OCR after the agency alleged that the facility had violated HIPAA when they allowed filming of patients without those patients’ consent.


While hospitals are a fairly obvious example of covered entities, you should be aware that hospice care providers, palliative care providers, and respite care providers are also considered covered entities under HIPAA. This means that if one of your company’s clients provides any of these kinds of care, you may be considered a business associate under HIPAA.

  • Hospice care – involves terminally ill patients. This type of care is designed to support people in the final phases of a terminal illness and focuses on quality of life and comfort instead attempting to cure the illness.
  • Palliative care – involves chronically ill patients, although not necessarily terminally ill ones. This type of care is designed to provide relief from the symptoms and stress of a serious illness.
  • Respite care – involves planned or emergency care for a patient in order to provide temporary relief to caregivers (usually family members).


Generally speaking, a business associate is any individual or organization that creates, receives, transmits, stores, or otherwise maintains Protected Health Information (PHI) on behalf of a covered entity for a function regulated under HIPAA. Further, the obligation to comply with HIPAA applies to business associates even if they have no formal agreement with the covered entity stating that they are considered business associates.


If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. Please contact us to register if you’d like to attend.


Additional information on HIPAA:

  • For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?
  • To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?