Does HIPAA apply to direct care practices?
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a complex law that most patients assume applies to all of their private information in a healthcare setting. There are different aspects of HIPAA that apply to the sharing of private data with other medical providers and to the transmission of patient data electronically. The basis of HIPAA is protected health information (PHI) which has its own specific definition and requirements.
The HIPAA Privacy Rule defines protected health information (PHI) as individually identifiable health information, including demographic information, information about the patient’s physical or mental condition, genetic information, and information about the patient’s healthcare plan or payment system. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Direct primary care (DPC) practices may or may not be subject to HIPAA regulations, depending on how they operate. In fact, according to the American Academy of Family Physicians (AAFP), “pure DPCs operating completely outside of the insurance industry are not as constrained by parts of HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) act, and the Affordable Care Act that protect patients’ confidential medical information.”
DPC practices that do not transmit patient data to insurance companies are not bound by the rules of HIPAA, protecting that data. So, if a DPC physician maintains paper files and never communicates with anyone else regarding the patient, HIPAA would not apply to that practice. However, most DPC physicians maintain electronic health records (EHRs) and do communicate with other healthcare providers in the interest of providing quality care for their patients. In these cases, they are subject to the HIPAA regulations regarding PHI and ePHI.
