HIPAA 2013-Public Health Disclosures Without Authorization-What Happened?

HIPAA 2013 Continues to Allow for and


Public Health Reporting



My discussion of HIPAA 2013 regulations threatens to violate a principle of this blog which is to generally discuss things related to HIPAA and privacy in ways that people can understand, regardless of whether they are lawyers, doctors or Indian Chiefs.

By necessity, my post on HIPAA 2013 may get a little weedy.  If you hate weeds, take an airboat over them and skip to the end of the post for a quick  summary.

Quick Background on HIPAA & Public Health

HIPAA historically contained an exemption to the authorization requirement for public health reporting.  This means that covered entities can and must report certain events to public health authortieis and can do so without patient authorization.  Public health activities include the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.   You can probably see why it’s important that health care providers help public health authorities track things like disease outbreaks and sexually transmitted diseases.

Carrying this theme forward,  Section 13405(d)(2) of HITECH contained an exception to the authorization requirement for exchanges of protected health information for  public health activities, as described at § 164.512(b) of the HIPAA Privacy Rule.

Another quick historical fact is that HIPAA generally frowns upon the “sale” of protected health information without patient consent.  It’s a pretty big no-no. However, some providers may charge a fee to the public health authority for providing public health data.  Generally, the providers charge only the cost to them of making the report, as well as a reasonable charge for their time.  This practice has not been historically considered “sale” of data and there has been a recognized exception carved out for public health reporting.  However, if charges get out of hand, the HHS Secretary has the authority to restrict the amount charged.  There had been some discussion about whether this restriction would be made in the new rules.

It was not.  In HIPAA 2013, HHS  did not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data. So, although the sky is not the limit, there appears to be some room for covered entities to charge actual costs plus their time.

My prediction is, however, that if covered entities attempt to make public health reporting a profit center, HHS will quickly revisit the issue.  The takeaway is that  covered entities should keep their costs fair and reasonable.

Again,  HIPAA 2013 regulations continue to allow covered entities to exchange information for public health activities and for covered entities to charge a fee for reporting.

One small addition was made to  §164.502  to reference 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. A limited data set  is protected health information that excludes many direct identifiers of the individual or of relatives, employers, or household members of the individual such as names, postal addresses other than town, city, state and zip code and social security numbers.  There was a need to reference limited data sets because it can often be time and resource-consuming for a covered entity to produce them.


AIRBOAT THROUGH HIPAA 2013 Public Health Reporting

1.  Covered entities can and should still report everything mandated by state and federal law to the public health authority and can do it without the patient authorizing it.

2.  Covered entities can charge a fee for doing it.  They shouldn’t get too cute with it.

3.  Public health reporting is good public policy and HHS continues to recognize this.



Tomorrow I will discuss the impact of the HIPAA 2013 Changes to Public Health as it relates to immunizations.

Sleep well!

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!


The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!


HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).


Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!


Tagged , ,

Identity Theft Often Begins at the Workplace

The law is just a part of my identity

Julie Meadows-Keefe

Identity Theft and the Mythical Evil Hacker Across the World.


When we think about identity theft, maybe we tend to think about evil hackers in foreign countries trying to gain access to our data.

Or maybe we think about cerebral kids with nothing better to do than to try and gain access to confidential databases for the sheer love of doing it.

We may also picture paper medical records being thrown into the trash and being retrieved by someone who uses them to take out credit cards, loans or apply for benefits.

Sometimes the last thing we think of is malicious data theft by employees we hire to serve our patients.

Identity Theft Under Our Noses!

This recently occurred at a clinic serving low income patients in Palm Beach County, Florida.  Here, the individual had been collecting the data to sell as part of a fraud scheme.  Fortunately, a delivery truck driver who grew suspicious of the woman who ostensibly wanted to spend $36.00 to ship a card overnight.  The driver  opened the package and discovered lists with clients’ information.  Information included client’s social security numbers.  The employee was fired and has been arrested on several counts of fraud.

Additionally, in Texas there have been several reports of similar identity thefts.

A former Texas Department of Health and Human Service worker in Mount Pleasant assumed the identity of clients receiving immunizations and other services at the Texas Department of Health and Human Services. She then used this client information and applied for credit cards online and – once approved – made as many purchases as the credit card would allow.  The former employee was arrested and several hundreds of patient names and social security numbers were retrieved from her residence.

The former employee has been charged with Fraudulent Use or Possession of Identifying information, a 2nd Degree Felony, and Credit Card Abuse, a State Jail Felony.

What Can Be Done to Prevent Identity Theft By Trusted Employees?

Unfortunately, it is impossible to filter all bad apples out of the barrel of potential job applicants.  Perhaps employees fall on hard times and feel that stealing confidential information is a quick way out of financial difficulty.  They may not seek employment involving confidential data with the intent to steal it.  They may also think there is a low likelihood they will be caught.  This is where there logic falls apart.

Most employers storing and utilizing confidential data electronically are deploying tracking software.  This allows them to see what employees are accessing what data and when it’s being accessed.  Assuming that the employer has someone assigned to check those logs, it can be easy to detect unauthorized access-thereby decreasing the likelihood that improperly accessed patient data can be used for identity theft purposes.  If you have not deployed tracking software, this should be a top priority to accomplish in 2013.

Next, employers should be consistently training on HIPAA Privacy and Secutiy Policies. This training should contain ample “scare tactics” of what happens to people who violate the policies.  I’ve included two examples in this post.  Jobs are lost, arrests are made, lives are ruined.

It is gratifying to see that both employers in the above example appear to have acted appropriately in terminating the employees, communicating with authorities and potentially affected patients and reflecting transparently on what other measures they are taking to assure these incidents do not occur again.

If you are cultivating a culture of compliance in your organization, it goes a long way towards making sure that identity thieves do not feel welcomed as employees.



HHS Is Serious About Privacy and Security!

HHS is Serious About Privacy & Security

HHS is serious about privacy and security! Last week, HHS again demonstrated this on January 2, 2013, when HHS announced the first HIPAA breach settlement involving less than 500 patients. The provider, Hospice of North Idaho, (HONI) settled with HHS for $50,000.

This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI entered into a 2 year CAP (corrective action plan) with HHS which included the following findings related that demonstrate that HHS is serious about privacy and security

  1. HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
  3. HONI was required to designate an authorized representative to be the point of contact with HHS throughout the 2 year corrective action plan.
  4. HONI has to report to HHS any violations of its Privacy and Security policies and detail remedial actions they have taken to respond to the violation.
  5. Any further HIPAA violations can result in additional civil money penalties.

The Resolution Agreement can be found here.

You should know that the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

So many problems can be averted through diligent and consistent usage of encryption and common-sense measures that staff may use when traveling with computers and other mobile devices.

HHS is serious about Privacy and Security.  You and your practice should be too.

Tagged , , ,

What Are Physical Safeguards?

Julie Meadows-Keefe

Julie Meadows-Keefe

What Are Physical Safeguards?




Physical Safeguards are important.

You never know who your patient (or patient’s mom) is…..

A few nights ago my daughter was sick enough to warrant a trip to the ER. (She’s fine now, thank you).

In my haste to get her there, I left my cell phone at home so on two occasions I used the phone at a station in the ER. On one occasion, I was led to the phone where the staff member dialed 9, let me dial the number and left me standing in front of the computer screen on the desk. It had identifiers for the current patients in the pediatric ER. I deliberately averted my eyes.

On the next occasion, the staff member dialed 9 and the number I wanted and instructed me to stand behind the computer screen.

Props to staff member number 2. She used what’s known as physical safeguards….which simply means that she used measures to prevent me from seeing other people’s information.

HIPAA’s Definition of Physical Safeguards

HIPAA defines physical safeguards as policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.  Therefore, health care providers like the ER must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. HIPAA also requires that health care providers implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

In this example, a provider serving mainly HIV patients entered into a resolution agreement with Health and Human Services that required them to reposition its computer monitors to prevent patients from viewing information on the screens. The practice installed computer monitor privacy screens to prevent impermissible disclosures.

Physical Safeguards Are Important

This isn’t meant to call out a “wrongdoing”-just to illustrate how easy it is to forget to protect someone’s data and how easy it is to protect it.

Training staff on practices using actual scenarios like mine and repeating the training often are keys to success. Ingrain it so it can’t be forgotten easily. Kind of like those ubiquitous “employees must wash hands before returning to work” signs.

Have you ever seen anyone’s data by mistake? What did you see?

Tagged , ,

Are NFL Teams Covered Entities Under HIPAA?

Even NFL coaches know about HIPAA and are interpreting it to the news Media!  John Harbaugh, head coach of the Baltimore Ravens got pretty peeved  the week after the Ravens were fined $20,000 by the NFL for not listing Ed Reed on the injury report.  Their head coach John Harbaugh said that the team will cite every “hangnail” going forward, and questioned the validity of the weekly report.

“There’s no credence on the injury report now,” Harbaugh said. “It doesn’t mean anything. It has no value. The injury report has no value.”

Ed  Reed confessed he had been playing most of the season with a slightly torn labrum. The Ravens never listed him because  he  hadn’t missed any game or practice time with the injury.

“If a guy that goes out there and doesn’t miss a practice and doesn’t miss a game and doesn’t want to be on the injury report and we have to put him on the injury report, I want the league’s answer on that,” Harbaugh said. “I’m looking forward to hearing that.”

Harbaugh also questioned the wording of the league’s injury report policy which states, “All players with significant or noteworthy injuries must be listed on the report, even if the player takes all the reps in practice, and even if the team is certain that he will play in the upcoming game. This is especially true of key players and those players whose injuries have been covered extensively by the media.”

“I’ll go back to the significance thing. The way the thing is written, it says, ‘if a player has practiced fully or played fully and he has an injury and he is a significant player and it affects his play, then he should be on there.’ Well, I think player safety is important for all of the players. I’m going to say that every injury is significant,” Harbaugh said. “If that’s how they want to word it, I’m not going to go with the league saying that one player is more significant than another player. That’s absurd to me. They can get mad at me if they want for saying that, but they need to write that a little more clearly. We’ll just put every guy on there that has a hangnail and go from there.”

Harbaugh also voiced concerns about player’s privacy. “Aren’t there HIPAA rights here?,” Harbaugh asked. “If I’m a player and I’ve been out there playing and I don’t want that on the injury report and I’m told I have to put that on the injury report, we’ve got some players that resent that. So yeah, I got a problem with that in all honesty.”

Some quick research on my part produced this link to the NFL Injury Report where, for example you can see that Atlanta Falcon Zach Streif and Atlanta Falcon Sam Baker are both struggling with groin issues.   So I assume from all of this that NFL players are required by the terms of their contracts to disclose conditions that might impact their play.  Further perusal of the website led me to theorize  that one of the purposes of the injury report is to assist fantasy football participants and Vegas odds-makers.  I guess if you were betting on the Kentucky Derby you’d want to know if your horse had a groin injury.  Same difference, right?

And coach Harbaugh’s HIPAA reference gives me a jumping off point to clear up a frequently believed myth that anytime someone’s health information is disclosed someone or some entity has violated HIPAA. This is not the case.  HIPAA can only be violated  by individuals and entities within HIPAA’s purview.  These are called covered entities.  HIPAA violations can also be committed by business associates who have contracts with covered entities.  I initially was going to say that it would appear that The National Football League and teams are not a covered entities.  The players are contracted employees of their teams and HIPAA does not apply to employers.  So health records in your employment file aren’t protected under HIPAA, but may be protected by other confidentiality laws.  But then I realized that the teams  have physicians who treat the players.  Physicians are typically covered entities when they treat patients.  But then I went to this flowchart  I would argue that the main job of  NFL teams is playing football,  but accompanying that, they are obviously intimately involved with the health of a player and his ability to play. So it would appear that the teams furnish health care in the normal course of business.  So we say “yes” and move forward on the chart.


Then, the next part of the chart asks if  the person or business sends any covered transactions electronically.  I do not know what their practice is, however, if they do send electronic transactions, the chart indicates the team would be a covered entity.  If it does not send electronic transaction it would not be covered by HIPAA.  So, if all the health information is transmitted by paper only they could ostensibly scoot out from under HIPAA.    Also, it could be that players agree to disclosure of relevant injuries as part of their contracts.  Further, from the sound of this article, it sounds like players only have to report general types of injuries and that things like specific treatment they are undertaking would be covered by HIPAA.

So my conclusion is that team treating physicians are covered by HIPAA so only the most general type of disclosure is made, but specifics of treatment and other non-football related health issues are not disclosed due to HIPAA concerns.

Please comment if you think differently or have some insight to add.




Are You Antsy over ANSI & Why It’s Hanging Out in HIPAA Regs?

Are You Antsy over ANSI?

ANSI stands for the American National Standards Institute. ANSI is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide. For example, standards ensure that people who own cameras can find the film they need for that camera anywhere around the globe.  The Institute administers five standards panels including the Healthcare Information Technology Standards Panel.  The panel works to identify, coordinate, and harmonize relevant voluntary standards relevant to these areas.  So you may now see why ANSI would be relevant to HIPAA.

ANSI is referenced in Section 160.103 of the Health Information Portability and Accountability Act (HIPAA), within the definitional section. HIPAA authorizes HHS to require the use of standards for the electronic exchange of health care data and to specify what medical and administrative code sets should be used within those standards.   Later, ANSI appears in the administrative requirement section of HIPAA- Section 162.940- which explains how an organization may petition HHS to deviate from standard transactions and code sets.  HHS sets forth a list of evaluative criteria by which such requests will be examined.  The petitioning process is extensive and burdensome. In part, an organization must show that the modification be supported by an ANSI-accredited standard setting organization or public organization that would maintain the standard over time.


There has been much discussion and gnashing of teeth regarding a looming requirement that all HIPAA covered entities update to ANSI 5010 and begin using the updated ICD-10 code set. Here, think of ANSI 5010 as the pipeline and ICD-10 as the oil—the highly detailed and discrete coding information system to help ensure precise reimbursement.

By October 1, 2014, all covered entities must be ready to embrace the new coding system, having made all the necessary technological updates and provided adequate training to physicians and administrative staff.

ANSI Understanding?

Hopefully, you now have a better idea about ANSI’s role in standardizing the method by which health care information is coded and conveyed.

Please comment if you have thoughts or questions.  You can also e-mail me @ julie@esq140.com.

Thinking too much about ANSI

Julie Meadows-Keefe

Tagged , , , ,

How to Scrub Your PHI

Thinking too much about meaningful use

Julie Meadows-Keefe

Protected Health Information (PHI) is Personal

Protected health information (PHI) is some of the most personal information that exists about you and I.  It includes things like our date of birth, height, weight, address, contact numbers, family member names, medication history and more.  Generally an individual receiving health care knows that their PHI will be used for their treatment, for payment and for certain health care operations.  Do they also know that their PHI can be sanitized (de-identified) and used for research?

PHI Can Be De-Identified, and therefore, less personal.

At long last, the HHS Office of Civil Rights (OCR) has issued guidance regarding how health insurers, clearinghouses and medical providers should strip patient records of identifying information, in order to permit data to be exempt from privacy restrictions and used in clinical and research studies.

The HHS guidance presents two methods by which health care companies can satisfy a so-called de-identification standard contained within the privacy rule of the Health Insurance Portability and Accountability Act, affectionately known as HIPAA.  These two methods are expert determination and safe harbor.  OCR’s guidance is designed to assist covered entities to understand de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

The HIPAA Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following certain de-identification methods. The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.

If a covered entity decides to de-identify information via the expert route, the guidance states that the following criteria are met:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination;


Interestingly, OCR takes pains to state that there is no particular credential necessary for this expert.  If the matter becomes one of OCR enforcement, OCR would look at a particular expert’s qualifications on a case-by-case basis. The expert does not necessarily need to be a statistician.

If a covered entity decides to de-identify by entering the “safe harbor” there is a rather exhaustive list of what information must be removed.  This includes names, street addresses, complete ZIP codes, telephone numbers and social security numbers.  OCR points out that only 3 data points-date of birth, gender and zip code uniquely identify over ½ of US Citizens.

PHI is Irresistable to Researchers and Others Because it is a Rich Resource

My personal take on this dates back several years when I recognized that HITECH was invariably tied to the Affordable Care Act in the following ways:

  1.  HITECH has incentivized health care providers through both a carrot and stick approach to adopt electronic health records.
  2. HITECH established funding for networking health care providers to share this data.
  3. HITECH, through the mechanism of meaningful use has developed a methodology for collecting health data on all patients.  This includes things like smoking status and body mass index.
  4. The Affordable Care Act ties patient outcome and cost of care to reimbursement.
  5. To control health care costs and maximize better health care outcomes, it makes sense to draw from all available data to see what treatments work best for high-cost chronic conditions that strain the health care system such as heart disease, asthma and diabetes.  The data has to come from somewhere.
  6. Privacy advocates and others are concerned that our health information will be grist for the research mill whether we want it to be or not.
  7. Many individuals are concerned about privacy breaches involving their most sensitive personal information.
  8. On the other hand, researchers, policy-makers and others are salivating over the rich data that now exists to answer many compelling questions and bring us further down the road to curing cancer and other devastating illness.

Varying interests must be balanced moving forward, but one wonders if a patient will be able to fully comprehend that their health information may be scrubbed and used for research.  Perhaps we all have a moral obligation to contribute to the body of scientific research aimed at helping us all live healthier lives.  But at what point could such research be used to deny care on the basis that it has been proven that in most cases a particular treatment succeeds very seldom yet is very expensive.


We enter into a brave new world.  May patients, providers and the public remain engaged on the topic of PHI. Please leave a comment if you’d like to join the discussion!


What is a Health Care Clearinghouse?

What is a health care clearinghouse?  Most people hear the word “clearinghouse” and think of commercials featuring shocked sweepstakes winners having their lives changed when strangers come to their door with tv cameras, balloons, bouquets  and big cardboard checks.

However, for purposes of HIPAA (Health Insurance Portability and Accountability Act), a health care clearinghouse is an entity that transforms or translates data from one form to another so that it usable for a particular purpose. A health care clearinghouse is a covered entity under HIPAA.  That means that a health care clearinghouse is governed by HIPAA.

In trying to understand the nature of a health care clearinghouse,  imagine the difficulty you have traveling abroad and not speaking the native language.  You will need a translator to in order to communicate.  A clearinghouse can be thought of as a sort of translator.  A clearinghouse can also organize or structure data.  Whereas health data used by a doctor or hospital may be useful to them for documenting patient care, data in that form may not be useful to payors.  Data may need to be coded or presented in a certain way to be usable for a permitted purpose.

Health care clearinghouses can be public or public or private entities.  As HIPAA considers a clearinghouse, the entity most often is one of the following:

  • a billing service
  • a repricing company (which takes the bills, matches them up with the insured’s contract with the hospital, and adjusts them to the pre-negotiated price).
  • a  community health management information system or community health information system and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.   A key objective of HIPAA was to require national uniform methods and uniform codes for the exchange of electronic information between health care providers and health plans.

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health care clearinghouses make data user-friendly for particularized purposes.  Most often, clearinghouses are trying to convert data for billing purposes, price comparison and cost-effectiveness analysis.  It’s reasonable to speculate that health care clearinghouses will have an enhanced role to play in a post Affordable Care Act world, because costs and benefits of particular treatments and efficient use of resources will become even more important.

Although you have not won a sweepstakes by reading this post, you now know what a health care clearinghouse is, how it functions, its purpose and why it’s important for clearinghouses to understand HIPAA’s requirements.

If you need assistance understanding HIPAA’s applicability to your organization, contact me: julie@esq140.com or leave a comment below.


What is a Health Plan?

Health Plans Under HIPAA

The law is just a part of my identity

Julie Meadows-Keefe








Health Plans are important to Americans.  HIPAA applies to health plans, health care providers and health care clearinghouses.

 What does HIPAA Consider a Health Plan?

Today, I want to focus on its applicablity to health plans 45 CHR 160.102(a)(1). Health plans are probably familiar to you.  These are most often known as health insurance companies.  More specifically, a health plan means an individual or group plan that provides or pays the cost of medical care.

I’ll provide a quick list of further definitional aspects of what consitutues a health plan.  A health plan can have one or several aspects of the following:

(i) A group health plan;

(ii) A health insurance issuer;

(iii) An HMO (Health Maintence Organization);

(iv) Part A or Part B of the Medicare program;

(v) The Medicaid program;

(vi) An issuer of a Medicare supplemental policy;

(vii) An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy;

(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;

(ix) The health care program for active military personnel under title 10 of the United States Code;

(x) The veterans health care program under 38 U.S.C. chapter 17;

(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS);

(xii) The Indian Health Service program under the Indian Health Care Improvement Act;

(xiii) The Federal Employees Health Benefits Program;

(xiv) An approved State child health plan under title XXI; providing benefits for child health assistance;

(xv) The Medicare+Choice program under Part C of title XVIII;

(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals;

(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

What’s not considered a health plan under HIPAA?

Any discussion of what a health plan includes should also include a list of what’s excluded from the definition of a health plan.  These exclusions include:

(ii) A government-funded program (other than one listed in paragraph (1)(i)–(xvi) of this definition):

(A) Whose principal purpose is other than providing, or paying the cost of, health care; or

(B) Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.

 Under HIPAA, there is a rather specific laundry list of what is and isn’t a health plan.

It’s intuitve to think you already know what a health plan looks like for general purposes, but I hope that it was helpful to receive more details regarding how HIPAA defines a health plan.

If your organization would like further training, please contact me at