HCA 360 Topic 6 DQ 1

HCA 360 Topic 6 DQ 1


The Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements cover some health care entities because they handle protected health information as part of their business function and transactions. For example, if an entity such as a cleaning service provided services in the medical office and such services equates to handing protected health information, then this would trigger the requirement of HIPAA compliance. However, if an entity’s work does not include exposure to the clients’ protected health information, then it is not considered covered. Some examples of entities that may be at risk for exposure of patient data are cleaning services within the medical organization or network that does not implement proper policies, procedures and processes to protect patient data; Third-party billing solution provider without appropriate security measures; No firewalls or adequate software updates on office computers; Employees accessing patient electronic records who have no authorization to do so; EHR system developers who use cookies or other tracking technologies within the software; EHR vendor with systems vulnerable to attack.

HIPAA Privacy Rule’s rules for covered entities do not protect the privacy of health information maintained by non-covered entities, such as employers, life insurers, schools and universities, or law enforcement officials. Non-covered entities can pose risks to a health care provider or organization as they may have access to protected health information (PHI).

HIPAA requires that a covered entity consider the risks to the security of ePHI when using a cloud computing service. The assessment may reveal that certain information is vulnerable, and therefore the decision should be made not to store or process it in the cloud. Entities covered by HIPAA should weigh several considerations when deciding whether PHI can be stored in the cloud while ensuring it remains secure. However, non-covered entities are not subject to HIPAA requirements and might thus pose a risk to health care entities

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 applies to covered entities. A health care provider or organization that share patient data would have violate HIPAA’s privacy and security requirements. Covered entities can only release protected health information (PHI) to third parties under certain circumstances and conditions.

HIPAA privacy and security requirements only cover health care entities that engage in electronic transactions. Transactions are not defined in other covered informal or formal agreements.

HIPAA privacy and security requirements apply to certain health care businesses and organizations. They apply to “covered entities” – health plans, health care clearinghouses, and certain health care providers. Legal responsibilities of covered entities are known as the Administrative Simplification Rules (Rules). If you are not a covered entity, such as a health plan or doctor’s office, they do not apply to you. However, some hospitals or doctors’ offices may also be health plans, so they are subject to the Rules in their role as a health plan.

Health insurance plans and healthcare providers, though not the only ones subject to HIPAA. Health plans are an obvious candidate for privacy regulation—they handle the most sensitive type of personal information, direct payment for health care is often taken from a patient’s bank account or payroll deductions, and HIPAA provides an incentive for both employers and payers to standardize their transactions. As an incentive, HIPAA established national standards for electronic transmission of financial and administrative transactions such as patient eligibility inquiries, payments and remittance advice.

Certain industries are excluded from HIPAA’s Privacy Rule, including life insurance companies, most employers, and the U.S. Census Bureau. However, in some circumstances, these entities may have access to health information of patients in the covered healthcare organization or share that information with the healthcare organization. Therefore, it is important for covered entities to keep the PHI of their patients private and secure, regardless of their partner relationships

Health care organizations must maintain their patients’ medical information in private and protected systems to protect the privacy of their patients.




Why do HIPAA’s privacy and security requirements cover some health care entities and not others? How might an entity not covered by HIPAA pose a risk to a health care provider or organization?

Scroll to Top