In this module, we start to talk about where the rubber hits the road. You understand the concept of compliance, why it's important, the principles involved, the trade offs, and more. Now we practice together putting this into action. HIPAA, as we've discussed is the federal law aimed at protecting the privacy of health information. However, not all health information is protected under HIPAA. Only health information held by certain kinds of organizations is. One of the first questions any compliance professionals should ask is, "Does this law apply to us?" HIPAA regulates as described in the statute covered entities, and covered entities include healthcare providers. But only those healthcare providers who are billing electronically or more technically correct transmitting cover transactions electronically. These cover transactions largely have to do with billing. Well, if this is what a HIPAA covered provider is, what kinds if providers are excluded? Generally, healthcare providers offering free services such as free clinics will not be HIPAA regulated. Also, healthcare providers that continue to bill using paper records, faxing, and mailing and there are also not HIPAA covered. How can that be? Why would the patients of those organizations deserve any less privacy than those in practices and hospitals that bill electronically? Well, it's not that there's a policy reason to treat these two populations differently. However, the statutory authority that congress provided was built on the premise that increased electronic data sharing facilitated by the new HIPAA administrative simplification provisions should come with additional privacy protections. In other words, sometimes the peculiarities and technicalities of a statute can dramatically affect whether an organization is subject to a compliance regime or not. In this case, whether patients have their privacy federally protected or not. Second, HIPAA also regulates health plans quite simply, and with almost no qualifications at all. Again, here one must read the statute or at least the guidance from the agency to determine if any plans are exempt from the definition. Lastly, HIPAA regulates healthcare clearinghouses, a very narrow industry sector that actively engages in facilitating the standard transactions, the electronic billing that HIPAA was originally, predominantly working to enhance. What about information sharing from a HIPAA covered entity to someone else? Let's say a patient authorizes a hospital to share their health records with their employer, is their employer then debt? Is their employer then bound by HIPAA? No, HIPAA again only covers the activities of the covered entities. In fact, HIPAA requires that a compliant patient consent form actually state, that the recipient of the information may not be bound by the privacy laws at the sender. What about information shared by a covered entity with a business partner of theirs such as a records released company or medical records software company? Well, there, most of HIPAA's requirements do apply. The law makes clear that a vendor accessing a covered entities patient information to perform a function on their behalf is covered. The details of the business arrangement matter in this analysis, and the regulations need to be read carefully. Let's look a little closer at what's in Scope of HIPAA and therefore, what's not. Because of the very specific language that defines what types of organizations are bound to comply with HIPAA, we also can learn more about what organizations are not bound. For example, the multitude of health-related apps and devices, including wearable technology are overwhelmingly not covered by HIPAA, because the companies that operate them or not providers, payers, or healthcare clearinghouses unless they are in the role of business associates of covered entities. Because privacy in the US is essentially a patchwork of laws affecting certain sectors, it's especially crucial for any privacy professional or compliance professional handling privacy to determine what laws apply to what organization, and sometimes only to certain activities of an organization. The impact of this careful read of scope is tremendous. Knowing whether the weight and consequence of a rather massive Federal Regulation applies to your organization, will translate into and what activities may be compliant or not, lawful or not.