HIPAA: Once a covered entity, always a covered entity?

Rightly or wrongly, HIPAA is perceived by many clinicians as an administrative nightmare. For those who aren’t already compliant, the task of becoming HIPAA compliant isn’t one that clinicians relish. Most clinicians who have practices that need to be HIPAA compliant accomplished this task a long time ago.

For those who/that are covered entities, is there a way to get away from HIPAA? Can clinicians who no longer wish to be “covered entities” opt out of compliance with HIPAA?

In two words: “probably not.”

There are two approaches to the question of whether one can exit from HIPAA. The first is that if clinicians cease engaging in activities that made them “covered entities,” (which in a very basic and overly-broad sense is transmitting PHI electronically for reimbursement from Medicare, Medicaid, or an insurance company), HIPAA no longer applies because they are not engaging in activities HIPAA governs. The second approach is that once clinicians become “covered entities,” they are always covered entities and there is no exit from the HIPAA framework.

It seems that the second approach is most likely correct. I believe this is the case because it came up in a conversation that I had with an attorney at HHS’ (Department of Health and Human Services’) HIPAA office. In the course of a conversation about whether clinicians who conduct forensic evaluations must abide by HIPAA if the purpose of the evaluation is solely forensic (and thus is not for healthcare purposes), the conversation turned to covered entity status. I was informed that when HHS is determining whether a health professional is a covered entity, HHS examines whether HIPAA has ever applied. According to HHS, once someone (or something) becomes a “covered entity,” the determination sticks and is not removed.

I imagine it is possible that the person at HHS with whom I spoke was wrong, and I never received a citation.  It may be a matter of regulatory interpretation.  But considering that HHS is charged with enforcing HIPAA it seems prudent to take this under advisement.  If anyone out there has information to the contrary and a reference or citation, please contact me.

IMPORTANT: This website is for basic information only. Nothing in this website should be construed to be formal legal advice, nor does it create an attorney-client relationship. Please see the “Important Information” page at the top of the screen.