Explosive growth in digital health over the last few years means there are many developers and managers who haven’t worked under HIPAA before. This guide is written for startups (and small businesses operating online) who could use some help with the basics of HIPAA compliance.
(a) General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction.
(b) Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard.
(c) Use of a business associate. A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following:
(1) Comply with all applicable requirements of this part.
(2) Require any agent or subcontractor to comply with all applicable requirements of this part.
[65 FR 50367, Aug. 17, 2000, as amended at 74 FR 3325, Jan. 16, 2009]