Chris Reddick and Ron Halversen explain what kind of businesses HIPAA applies to.

Part 3 of a 13-part series (Return to Part 2)

RON: A lot of times—and this is one that, as we scroll down, we came to who's covered by the HIPAA Privacy Rule, and it talks about the different entities. And I think the term Chris uses a lot is called covered entities. So who does the umbrella apply to? 

what is hipaa

RON: One of the examples I love to give is, let's say I have a bank and Chris has his money with me. Well, if Chris puts a bunch of money in my bank and I'm holding it for him, I do not have the right to take Chris' money and go give it to anybody else unless Chris comes in and says, “Oh, I want to set up auto-debit pay, I need you to pay for a car at Honda, and I need to set up auto debit payment, and I authorize that. Well, that's now an authorized payment. And so now I can make payments on behalf of Chris.  

But Chris, on the other hand, could walk in with a homeless person, and say, “I need some money.” And Chris could hand them $20. So Chris can do whatever he wants with his own money. But I can't do whatever I want with Chris' money.  

That is exactly the same for best practices for medical billing. Chris could turn around and say, “I've got herpes simplex ten.” Quoting one of my favorite movies, Beverly Hills Cop, “I've got herpes simplex ten,” and he could go around and tell anybody he wanted. Or let's say I've got herpes simplex ten and I could go tell anybody that I want, right? I'm okay doing that.  

But if Chris was my health care provider and I went to him to get treated for that, Chris does not have the ability to go share that—sometimes even within his own organization, because there are access and security applications as well. He can't go tell the x-ray technician that Ron's got herpes simplex ten because the x-ray technician has nothing to do with them, they have no right to that. 
 
Same with the receptionist or someone else. The only reason why the receptionist may end up knowing that information is if I called in on the phone and said, “Hey, my herpes is flaring, I would like to set up an appointment for the doctor. Then the nurse would say, “Oh, okay, well, knowing that, since that's not urgent, the doctor's out, you can meet with their PA.” 
 
So there are certain circumstances and places where even different people may or may not gain access, or should have access even within a simple organization. So Chris, if you want to go in a deeper on that—but it is really difficult, and that's usually about where the first quarter of every single phone call that comes to me when people are calling about these projects, we literally sit down and talk about their business. We talk about what data is coming in, what data would apply to ePHI data, what security level? Do we need full security level where the data can be edited, where we have to track who has access to the data, when they have access to it, what the old value was, what it's been changed to...because it can be subpoenaed for court. 
 
Are we only taking prescriptions, and those prescriptions can't be edited. So it's just an e-pharmacy taking an order. The order comes in, and we're passing that through to the back-end EMR or to the pharmacy to actually process the prescription. And since we're just storing data, but we're not editing the data, then we only have to go to what I call Level Two. We don't have to do the user-level logging.  

But in one we're releasing soon for one of the pharmacies we're working for—let's say, for example, I came in and said, “Hey, I'm in pain from my back surgery. I need some Oxy.” And so I requested a prescription of Oxy. The doctor could come in and say, “I'm not comfortable with that, but I am comfortable with some Naproxen.” He can go in and edit that and potentially change the dose and things will. Now we're editing PHI information, and that falls into a deeper level of HIPAA compliance when it comes to what data we track, what data we encrypt. 
 
So let me pause and see if I hit where you were looking for regarding pharmacy eCommerce, Chris, and I'll let you go on from there. 
 
CHRIS: Thanks. That's really the conversation we want to encourage the listeners to engage in; what are these different scenarios for you? And this is meant to be a pointer for you to be able to go and see the source of truth to answer these questions. You can see there's actually a link where you can click here where it says “for help in determining whether you are covered,” so you can go through that decision tool. It's really helpful. 

what is hipaa

CHRIS: The one thing that I'll note here, in general, is that there are some great Q&A areas as well on the HHS website that we'll link to that also show different types of scenarios. They go through mobile applications, Cloud computing, and software use cases and have Q&A and FAQs about whether or not you would [fall under HIPAA rules]. So I think these are all really helpful.  

The main takeaway here is that we want to point to this as a source of truth. I would say, just like you gave in the examples, Ron, there are some really interesting edge cases that, as you indicated, really tend to center around whether or not any data that we are passing through is transient or not and what the scenario is. 
 
But generally speaking, if you're dealing with HIPAA data, PHI data in particular, you're probably going to want to at least take the stance that you are dealing with PHI and HIPAA compliance, unless proven otherwise. And that is a really important thing. Ultimately, you can consult with experts in the field. We certainly are always interested and glad to help if you would like to engage in a complimentary discovery, just to see what our understanding would be in your situation.  

We're not legal experts, [but] we do a lot of HIPAA work. So you're always welcome to engage a legal counsel who will actually be able to go through the laws in detail. This is [just] a summary from HHS. So in theory, if you want the literal source of truth, you're going to go to the actual laws.  

Continue to Part 4 to find out what constitutes ePHI.