As the traditional health system continues to fail patients and providers alike, more people are turning to wellness to fill in the gaping hole left by traditional health care. For those wellness practitioners wanting to serve clients as a health, wellness or lifestyle coach, aruveyda or reiki practitioner, yoga instructor, personal trainer, massage therapist, holistic health practitioner, functional medicine practitioner, nutrition counselor or many of the other titles that identify as wellness, a critical question you may ask is whether you are subject to the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA).
To answer that question, it is important to review to whom HIPAA privacy and security rules apply (hereinafter “HIPAA”). HIPAA applies to “covered entities” of which there are three types: 1) health plans; 2) health care clearinghouses; and 3) health care providers who transmit any health information in electronic form in connection with a “transaction” covered by [HIPAA]. 45 CFR § 160.102-103. Wellness practitioners are not health plans or clearinghouses, which leaves “health care provider” as the only possible category of covered entity that may apply. HIPAA defines “health care provider,” in relevant part, as a person or organization who furnishes, bills, or is paid for “health care” in the normal course of business. See 45 CFR § 160.103. To know if a wellness practitioner provides “health care” one looks to HIPAA’s definition of the term.
HIPAA defines “health care” as “care, services, or supplies related to the health of an individual.” 45 CFR § 160.103. That certainly sounds like it encompasses the work of a wellness practitioner. HIPAA provides some examples (which is not an exhaustive list): “Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body.” 45 CFR § 160.103.
Let’s break that down: a person provides “health care” if they provide a service with respect to the physical or mental condition or functional status of another person, or if they provide a service that affects the structure or function of the body. Certainly most, if not all, wellness practitioner services relate to the physical or mental condition or functional status of their clients. Or at least the services affect the structure or function of the body (or at least the wellness practitioner hopes their services will do so). As a result, wellness practitioners arguably meet the first prong of the two-pronged definition of a HIPAA covered health care provider.
The second prong is the more tricky one. For a health care provider to be a HIPAA covered entity, the provider must transmit health information in electronic form in connection with a “transaction” covered by HIPAA. HIPAA defines “transaction” as “the transmission of information between two parties to carry out financial or administrative activities related to health care.” The definition then lists some examples of the types of information transmissions that are considered “transactions”:
1. Health care claims or equivalent encounter information
2. Health care payment and remittance advice
3. Coordination of benefits
4. Heath care claim status
5. Enrollment and disenrollment in a health plan
6. Eligibility for a health plan
7. Health plan premium payments
8. Referral certification and authorization
9. First report of injury
10. Health claims attachments
45 CFR § 160.103. Most of these examples relate to health plan communications. To the extent a wellness practitioner is not involved with a health plan, they will not be engaging in most of these transactions. For example, health care payment and remittance advice, or ERA, is a phrase used to describe “an explanation from a health plan to a provider about a claim payment. An ERA explains how a health plan has adjusted claim charges based on factors like contract agreements, secondary payers, benefit coverage, expected copays and co-insurance.” See e.g., https://www.cms.gov/about-cms/what-we-do/administrative-simplification/transactions/health-care-payment-remittance-advice-electronic-funds-transfer#:~:text=What%20Is%20an%20ERA%3F,Contract%20agreements.
Because most wellness practitioners are usually not involved with health insurance claims submission or payment, we at Wellness Law, LLC believe that wellness practitioners are not technically subject to HIPAA privacy and security rule compliance. That does not mean complying with HIPAA privacy and security standards is a bad idea, as your clients are likely to value your effort to protect their health information from unauthorized uses and disclosures. Please contact us so we can help you minimize your compliance risk as a wellness practitioner. It’s what we do, and it’s what we love.