
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a creature of federal law that protects the privacy and security of the use and disclosure of certain patient health information. It also lets patients control their health information by letting them view and get copies of their records, send electronic copies to others, and ask for changes to be made.
HIPAA can be divided into three main parts: the Privacy Rule, the Security Rule, and the Breach Notification Rule. There are two main government actors at play: the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). HHS makes the rules and OCR enforces them.
As a business, you should consider whether it makes sense, in the first place, to deal with all of the gigantic HIPAA-potamus red tape. After all, there is a business expense to properly comply. This Article will help you figure out whether HIPAA applies or when it will apply, so you can be informed on whether you should sidestep or take the HIPAA-potamus head-on.
In short, whether HIPAA applies depends on what you do. That is, what you do is who you are. And the Hungry, Hungry HIPAA eats only if you're covered.
Does HIPAA Apply in the Face of State Law?: Preemption
Before we dive into the water with the Hungry, Hungry, HIPAA, you should know that many states have mini versions of their own health privacy and security laws. So, whether HIPAA applies and to what extent it applies may depend, in part, on whether state law controls.
To begin, look at the specific part(s) of HIPAA and the state law(s) in question that relate to the particular issue at hand. The key question to ask is whether the two laws are "contrary." Federal and state laws are contrary if either one of the two things is true. It would either be impossible to satisfy both or, alternatively, the state law would make it an obstacle to accomplishing the full purposes and objectives of HIPAA. [1] If you can follow both federal and state laws, then great, we’re good to go!
Let's assume that the federal and state laws are contrary. In this case, you'll need to determine which law is more "stringent." [2] If you asked yourself, "what the heck does 'stringent' mean in this context?" Great job...you're tracking! The more stringent law provides greater privacy protections or privacy rights to patients or has more restrictions on its use or disclosure. Why is this important? Because the more stringent law controls.
So, in sum, here’s what you should ask. First, is state law contrary to HIPAA? If not, Hip Hip-AAarray! But if it is contrary, then go on to ask whether the state law in question is more stringent than HIPAA. If it's not more stringent, then HIPAA applies–the Hungry, Hungry HIPAA eats. Otherwise, state law controls. If you want, a health lawyer like myself can help you to iron this wrinkle out with confidence.
What is Covered – Protected Health Information
As mentioned above, there are three main parts to HIPAA. The Privacy Rule sets standards for protecting the privacy of Protected Health Information (PHI) which are medical records and other individually identifiable health information. The Security Rule sets standards for securing PHI that is created, received, held, or transferred in electronic form. We call this electronic-Protected Health Information (ePHI). This means the Security Rule does not apply to PHI transmitted orally or in writing, so it protects only a subset of information covered by the Privacy Rule. Now, of course, there is tons of compliance stuff too, but that's not the focus of this Article.
What you need to know is that if PHI is on the plate, it’s what the HIPAA-potamus eats. So, now you know what is covered.
Who is Covered – Are you a Covered Entity or Business Associate?
First, Covered Entities (CEs) are, yes you guessed it, covered by HIPAA. These include healthcare providers who transmit PHI, [3] health plans (insurers, but also employer health plans), and clearinghouses (third parties between a healthcare provider and those paying for the service). [4]
Second, Business Associates (BAs) are directly on the hook too. BAs are persons or entities that create, receive, transmit, or maintain PHI in performing services on behalf of a CE. These include data storage companies, lawyers, accountants, consultants, etc. whose services involve access to PHI, subcontractors that create, receive, maintain or transmit PHI on behalf of another BA, and Health information organizations (HIOs).
Business associate activities include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. [5]
The Hungry, Hungry HIPAA-potamus eats CEs and BAs
If you’re a CE or BA dealing with PHI, it’s likely the Hungry, Hungry HIPAA-potamus has eyes on you. For help in determining whether your business is covered, use CMS's decision tool. For additional help, you should consider reaching out to your go-to healthcare lawyer. I’m here for you.
[1] 45 C.F.R. § 160.202. [2] 45 C.F.R. § 160.203.
[3] HIPAA Transactions Rule (45 C.F.R. §§ 160.102, 160.103); see Social Security Act § 1172(a)(3), 42 U.S.C. § 1320d-1(a)(3)).
[4] 45 C.F.R. § 160.103. [5] See the definition of “business associate” at 45 CFR 160.103.

This is super helpful, I never knew that it could differ so much from state to state!