Looking for Sales Leads? You already have them!

Everything You Need To Know About HIPAA and Data

If a data company is selling PII (Personally Identifiable Information) to a health care provider, but the information does not include PHI (Protected Health Information), the data company would not be considered a “business associate” under HIPAA.

A business associate is defined by HIPAA as a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI.

Since the data company is only selling PII and not PHI, they would not be considered a business associate under HIPAA because they are not involved in the use or disclosure of PHI.

However, It’s important to note that other regulations may apply to the data company’s handling of PII, such as data protection laws and regulations, and they should make sure they are in compliance with them.

It’s also important to note that if the data company would start handling PHI in any way, such as storing, processing or transmitting, they would be considered a business associate under HIPAA and would have to comply with all the regulations accordingly, such as obtaining a Business Associate Agreement (BAA) with the covered entity.

What is HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a federal law in the United States that was enacted in 1996. It establishes standards for protecting the privacy and security of certain health information, known as “protected health information” (PHI). HIPAA applies to healthcare providers, health plans, healthcare clearinghouses and their business associates.

HIPAA compliance refers to the process of adhering to the regulations and standards set forth in the HIPAA law. It includes several key components, such as:

  1. Privacy: HIPAA requires that healthcare providers and other covered entities have appropriate safeguards in place to protect the privacy of PHI. This includes implementing policies and procedures for using, disclosing, and safeguarding PHI, as well as providing notice to individuals about their privacy rights.
  2. Security: HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. This includes implementing security policies and procedures, as well as regularly assessing and mitigating risks to the security of PHI.
  3. Breach Notification: HIPAA requires covered entities to notify individuals, the Secretary of the Department of Health and Human Services and, in some cases, the media, when there is a breach of unsecured PHI.
  4. Enforcement: HIPAA has various enforcement mechanisms such as civil monetary penalties, criminal penalties, and even exclusion from Medicare and Medicaid for non-compliance.
  5. Business Associates: HIPAA also requires covered entities to obtain written agreements from their business associates that the business associates will implement appropriate safeguards for PHI, and will report breaches to the covered entity.

HIPAA regulations are complex and can vary depending on the specific requirements of the covered entity. Organizations that handle PHI must ensure that they are in compliance with HIPAA regulations and maintain compliance through regular assessments, audits, and training of employees.

Who Enforces HIPAA Complaince

HIPAA (Health Insurance Portability and Accountability Act) is enforced by several different agencies, depending on the type of covered entity and the specific provision of the law that is being violated. The main enforcement agencies for HIPAA include:

  1. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS): The OCR is responsible for enforcing the privacy and security provisions of HIPAA. They investigate complaints of privacy and security violations, conduct audits, and enforce penalties for non-compliance.
  2. The Centers for Medicare & Medicaid Services (CMS): The CMS is responsible for enforcing HIPAA compliance for health plans that participate in the Medicare and Medicaid programs. They conduct audits and investigations, and can impose penalties for non-compliance.
  3. The Department of Justice (DOJ): The DOJ is responsible for enforcing criminal penalties for HIPAA violations, such as those related to identity theft and fraud.
  4. State Attorneys General: State attorneys general have the power to bring civil actions on behalf of their residents for violations of the HIPAA Privacy Rule.
  5. Industry-Specific Agencies: Certain industry-specific agencies may also have oversight of HIPAA compliance for certain types of covered entities, such as the Securities and Exchange Commission for entities that are subject to the Privacy of Consumer Financial Information Rule.

It’s important to note that all covered entities are responsible for maintaining HIPAA compliance, regardless of who enforces the law. They should regularly review and assess their compliance with HIPAA regulations, and take appropriate steps to address any deficiencies or violations.

Companies That Fall Under HIPAA Regulation

HIPAA (Health Insurance Portability and Accountability Act) applies to certain types of entities known as “covered entities” and their “business associates.” Covered entities include:

  1. Health Care Providers: Health care providers are entities that furnish, bill, or are paid for health care in the normal course of business. This includes doctors, hospitals, clinics, nursing homes, and other similar providers.
  2. Health Plans: Health plans are entities that provide or pay for the cost of medical care, such as group health plans, health insurance companies, HMOs, company health plans, and government programs such as Medicare and Medicaid.
  3. Healthcare Clearinghouses: Healthcare clearinghouses are entities that process non-standard health information they receive from another source into a standard format, or vice versa.
  4. Business Associates: Business associates are entities that perform certain functions or activities on behalf of, or provide certain services to, a covered entity that involve the use or disclosure of protected health information (PHI). This includes billing services, data analysis, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

It’s important to note that covered entities are responsible for ensuring that their business associates also comply with HIPAA regulations and that they have signed a business associate agreement (BAA) with them.

HIPAA also applies to any subcontractors of business associates, who also are required to comply with the regulations, and sign a BAA with the business associate.

It’s important to note that covered entities and their business associates must comply with HIPAA regulations even if they are not located in the United States as long as they transmit protected health information (PHI) electronically in connection with certain transactions covered by the Administrative Simplification provisions of the HIPAA law.

If Any Company Does Business With A Health Care Provider They Fall Under HIPAA

If a company does business with a health company, they may be considered a “business associate” of the covered entity (i.e. the health company) and therefore be subject to HIPAA regulations, depending on the specific nature of their relationship and the activities they perform on behalf of the covered entity.

A business associate is defined by HIPAA as a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information (PHI). Examples of functions that would make a company a business associate include:

  • Billing services
  • Data analysis
  • Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services
  • Data hosting/cloud services
  • Data processing/transcription services
  • Claims processing
  • Data backup services
  • Data destruction services
  • Document management services

If a company is determined to be a business associate, they are required to comply with certain provisions of HIPAA, including:

  • Implementing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI
  • Implementing security policies and procedures
  • Regularly assessing and mitigating risks to the security of PHI
  • Obtaining a Business Associate Agreement (BAA) with the covered entity.


It’s important to note that not all companies that do business with a health company will be considered business associates, and therefore not subject to HIPAA regulations. It would depend on the nature of their relationship and the activities they perform for the health company.

In what situations may a company do business with a health care provider but not be considered a business associate?

A company may do business with a health care provider but not be considered a “business associate” if their relationship and the activities they perform for the health care provider do not involve the use or disclosure of protected health information (PHI), as defined by HIPAA (Health Insurance Portability and Accountability Act).

Some examples of situations in which a company may do business with a health care provider but not be considered a business associate include:

  1. Providing non-health-related services: A company may provide non-health-related services to a health care provider, such as cleaning, landscaping, or facility maintenance, and not come into contact with PHI.
  2. Providing goods or products: A company may provide goods or products to a health care provider, such as office supplies, medical equipment, or food, and not have access to PHI.
  3. Providing general consulting services: A company may provide general consulting services to a health care provider, such as marketing or financial consulting, and not have access to PHI.
  4. Providing IT services: A company may provide IT services to a health care provider, such as website development, email hosting, or cybersecurity, and not have access to PHI as long as they don’t access or handle it in the process of providing their services.
  5. Providing legal services: A company may provide legal services to a health care provider, such as contract review or litigation support, and not have access to PHI as long as they don’t access or handle it in the process of providing their services.

It’s important to note that whether a company is considered a business associate or not will depend on the specific nature of their relationship and the activities they perform for the health care provider. It’s the responsibility of the health care provider to determine if a company is a business associate and ensure that they have a Business Associate Agreement (BAA) in place if they are.

What exactly is protected health information?

Protected Health Information (PHI) is a term defined by the Health Insurance Portability and Accountability Act (HIPAA) that refers to individually identifiable health information that is transmitted or maintained in any form or medium.

PHI includes a wide range of information related to an individual’s physical or mental health, including:

  1. Personal information: Information that can be used to identify an individual, such as name, address, date of birth, social security number, phone number, email address, medical record number, and demographic information.
  2. Medical information: Information about an individual’s medical history, diagnosis, treatment, and care, such as laboratory test results, physician notes, treatment plans, and medication lists.
  3. Payment information: Information about an individual’s health care payments, such as billing records and payment history.
  4. Administrative information: Information about an individual’s care, such as appointment schedules, treatment plans, and medical staff notes.
  5. Genetic information: Information about an individual’s genetic information, such as DNA, RNA, proteins, and metabolites.

PHI is considered sensitive information that needs to be protected, and HIPAA regulations dictate that any covered entities and their business associates must take adequate measures to protect this information.

It’s important to note that PHI does not include de-identified health information or aggregate data that has had all personal identifiers removed. These types of information do not identify an individual and are not subject to HIPAA regulations.

What is the difference between PII and PHI?

PII (Personally Identifiable Information) and PHI (Protected Health Information) are both types of sensitive information that need to be protected, but they are not the same thing.

PII refers to any information that can be used to identify an individual, such as name, address, date of birth, social security number, phone number, email address, and other personal information. PII is protected by various federal, state and international laws, regulations and guidelines.

PHI, on the other hand, is a specific type of PII that is protected by the Health Insurance Portability and Accountability Act (HIPAA) in the United States. PHI refers to individually identifiable health information that is transmitted or maintained in any form or medium, such as medical records, lab results, and treatment plans. PHI also includes demographic information such as an individual’s name, address, date of birth, and social security number when it relates to an individual’s health care.

In summary, PII refers to any information that can be used to identify an individual, while PHI refers to a specific type of PII that relates to an individual’s health care.