CMS Tool for HIPAA Compliance

January 26, 2022

By: Gabriel S. Oberfield, Esq., M.S.J.

The pandemic has accelerated the U.S. healthcare system’s ascent into the digital age – and privacy standards are along for the ride. Recognizing this, the Federal Centers for Medicare and Medicaid Services (CMS) of the U.S. Dept. of Health and Human Services recently promoted a tool and related refreshed resources to help organizations and individuals determine whether they are a Covered Entity (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). (A reminder: a CE is subject to HIPAA regulations.) The tool has particular salience in relation to HIPAA’s standards for electronic transactions

Early in January 2022, CMS republicized a decision-tree template, the “HIPAA Covered Entity Decision Tool,” to help health care providers and organizations determine whether they are a CE under the law. This resource is replete with hyperlinks intended to provide practical direction on whether an entity’s activities rise to the nature of electronic health care transactions contemplated under the HIPAA standards. The tool walks users through hypotheticals intended to identify whether they (whether providers, clearinghouses or health plans) fall in, or outside of, HIPAA. For those of a certain age (including this writer) who may remember the popular “Choose Your Own Adventure” book series targeted to middle schoolers during the 1980s and 1990s, the tool similarly relies upon the reader to make selections that drill the user downward to the final answer – here, whether the user is a CE under the circumstances presented.

We encourage Bond clients operating in the healthcare space to familiarize themselves with the tool, to view a recent Bond Health Law Outlook on the larger HIPAA regulatory environment in the context of the pandemic, and to take stock of the broader healthcare data privacy environment and its regulatory overlay. This is especially important when (as Bond recently reported) ransomware attacks are on a rapid rise in healthcare settings – and cybersecurity is of such prominence that it even has profound implications for global peace. 

If you have any questions about the information presented in this memo, please contact Gabriel S. Oberfield, any attorney in our Health Care practice or the attorney at the firm with whom you are regularly in contact.