the final stage of our peace. Why? What, how and whom we're gonna cover to whom does hip apply?
So when we talk about the security and the privacy rules, we have to understand that not every organization facility entity that has any information related to my or your help follows under hippos requirements.
So they're very specific organizations or practices
that do fall under hip. So I have these listed out. Specifically, we talk about health plans, healthcare clearinghouses, health care providers.
Then we have business associates in subcontractors. So we'll go through these across the next couple of slides. Now, when we talk about the covered entities, these air the entities usually that are on the front line. So I provide you some sort of service in relation to your health care.
And I am the covered entity that has that direct responsibility.
So it may be a health plan, and a lot of times when we see help plan, we think about an insurance organ. An insurance company could be with Medicare, Medicaid, any other organization that provides the processing of claims and or essentially comes down to holding the responsibility for payment off these medical claims
health care clearing houses. Um, so in this entity, I may have ah specific facility, a specific branch of my organization. I might have some entity
where they focus on nothing but the processing of claims. For instance, again, depending on the size of my organization.
So this idea of the clearing house building service is, um, any sort of again, you know, processing of claims management.
Uh, anything that's accumulating health care information for the community, for demographic purposes, whatever that maybe that would fall under the category of a clearing house. And of course, they're, uh, they're responsible for maintaining compliance with hip hop.
Uh, also the direct health care providers themselves. Those air your doctors and your hospitals,
medical care suppliers anything. And let me just mention we talk about medical equipment. It's equipment that is distributed
via person that requires a prescription. So, for instance, if I go to AA retail store and purchase a set of crutches that does not fall under the requirements for hip, if I go out and I buy non prescription vitamins, that's not covered on HIPPA.
But anything that's distributed as the result of a prescription
would fall under the HIPPA requirements
those air the covered entities that would have direct access to that information. I may also have business associates with whom I work, and a business associate usually is someone to whom I outsource. Some of this information, I think, had already mentioned earlier. I might be in an environment as a hospital
where I don't have the capacity
in house or maybe a doctor's office or some smaller entity. I don't have the capacity in house to process and store this information in a manner that's compliant with hip. So what do I do? I look around and I find a claims processing
agency that could also be considered as a clearinghouse. You know, that's kind of a fine line,
but I outsourced this work to another organization that business associates still has to maintain compliance with Pippa, and that has not always been the case or has not been enforced as tightly as it has. And you may be familiar with the high tech act. I believe that was from 2010
that really put much more responsibility on business associates than they'd have it
in the past. But business associates we talked about the idea that they have to meet compliance with him. But I would also stress that I, as the health care provider, do have a downstream liability for how my business associates process that information.
So I want to make sure that if I have a contract with the third party
that I very specifically line out in that contract the expectations, the security requirements and all of those elements that I need to maintain compliance. And I need to make sure that that is, uh, audited, that I have the right to audit. I need to make sure because I am accountable
for that downstream business associate,
even though they have responsibility as well. Also, one of the things I need to be concerned about it, sometimes my business associates outsource. So I outsourced to somebody that outsources that outsources that outsources in some indications. So those subcontractors also have a responsibility. But again,
we have to be aware of the fact that we have downstream liability.
Sometimes I ask my classes. So if you outsource, does that eliminate risk?
No. Sometimes you increase your risk by outsourcing, right? You're turning over what you're responsible with four to someone else So we keep that in mind with our business associates and our subcontractors. They have responsibility under hip, but we still ultimately responsible for the information that we collect.