As customer organizations begin to offer more non-traditional services like physical therapy, rehab classes and weight-loss, tracking the collection of personal health information has become a necessity. Information may range from simple physical data (height and weight), to cholesterol levels and blood pressure readings, to full medical histories. This material may be kept by different classes or programs and often raises the question: Is the organization subject to HIPAA regulation? In most cases the answer is no.

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to protect the privacy and security of personal health data. There are two primary components of HIPAA: the Privacy Rule and the Security Rule. The former establishes a standard for protecting an individual’s health information from distribution, and the latter sets security standards for the electronic transmission of the information.

HIPAA regulations apply only to covered entities, which are defined as “health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health & Human Services (HHS) has adopted standards under HIPAA.” Customer organizations are generally not a health plan or health care clearinghouse, but in rare cases might be a health care provider.

By HIPAA definition a health care provider includes “all providers of services (e.g., institutional providers such as hospitals) and providers of medical or health services (e.g., non-institutional providers such as physicians, dentists, and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.” According to this definition, an organization that provides health, nutrition or diet care, and is paid specifically for that care, could be considered a health care provider.

However, even if an organization is a health care provider, the rules only apply if they then transmit the information (or use a third party to transmit the information) “in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.”

These standard transactions are: 

  • Claims or equivalent encounter information
  • Payment or remittance advice
  • Claim status inquiry and response
  • Eligibility inquiry and response
  • Referral certification and authorization inquiry and response
  • Enrollment and dis-enrollment in a health plan
  • Health plan premium payments
  • Coordination of benefits

If any of these transactions are being transmitted in electronic form by the health care provider, then the provider is a covered entity and is subject to HIPAA regulations. The use of e-mail not directly performing these transactions is not sufficient to trigger HIPAA.

In short, unless the organization is: 

  • providing specific health care services
  • is paid for those services, and
  • is billing or doing business with health insurance or health plans in regard to those services …then its transactions are not subject to HIPAA regulations. However, any organization that is doing the above probably has accountability under HIPAA and should check with its local counsel to determine applicability and necessary action.

The popular Silver Sneakers program is generally not sufficient to make an organization subject to the statute. 45 CFR 160.103 requires both care and sale or dispensing of a drug, device, etc. for qualification. While the organization may meet the preventative care aspect, they do not meet the latter so they are not subject even though they transmit attendance numbers in order to receive payment.