HIPAA Summary All

What an interpreting agency should know about HIPAA

HIPAA for Interpreting Agencies

We want to provide the best services possible for interpreting agencies. In our quest to accomplish that we have worked with many individuals and entities. This document serves to provide lessons learned to interpreting agencies.

Our Compliance

Let us start by stating we are HIPAA compliant. Just because we are doesn't mean your agency is too. We meet all regulation requirements regarding the security and protection of an individuals health care information. For you to comply there are some things the agency should understand which is covered by the rest of the article.

Summary of the HIPAA Security Rule (U.S. Department of Health & Human Services)

PHI: (Protected Health Information)

The clearest definition from a government source has been the following.

The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.

The legal definition we've found vague as defined in Public Welfare (45 CFR 160.103).

Protected health information means individually identifiable health information:
  1. Except as provided in paragraph (2) of this definition, that is:
    1. Transmitted by electronic media;
    2. Maintained in electronic media; or
    3. Transmitted or maintained in any other form or medium.
  2. Protected health information excludes individually identifiable health information:
    1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
    3. In employment records held by a covered entity in its role as employer; and
    4. Regarding a person who has been deceased for more than 50 years.

Many agencies consider any information relating to a patient potentially PHI. We believe this is a misnomer. Cornell University defines health information as the following and haven't found anything with legal standing that says otherwise.

Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Covered Entity: (Health care Provider)

The clearest definition from a government source has been the following.

A Covered Entity is one of the following: covered_entities

When Does An Agency Need To Comply?

First, let's determine whom HIPAA was meant for. The following quote is a clear definition for entities that are required to comply.

Who must comply with HIPAA privacy standards?


As required by Congress in HIPAA, the Privacy Rule covers:

  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See our business associate section and the frequently asked questions about business associates for a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.

For an interpreting agency that means HIPAA is designed for health care providers. If the health care provider decides they need to present health care information to the interpreting agency then the health care provider will need to have a BAA between them, the covered entity, and you, their business associate. That isn't the end of the BAA needed, the following section is designed to clear the air of questions regarding BAA.

When BAA Is Needed

A HIPAA business associate agreement is needed when a health care provider (potentially an agencies customer) needs to provide health related information (not information to identify an individual) to the interpreting agency. It is the responsibility of health care provider to use their discretion on the necessity of the BAA. If a BAA is signed binding the health care provider to the interpreting agency then another BAA would be required binding Aqua Chroma (the company behind Aqua Schedules) and the interpreting agency. If a BAA is signed binding the interpreting agency with Aqua Chroma then a BAA is also needed between the interpreting agency and every interpreter who may see the health related information.

We don't mind retaining health information because security and privacy are our priorities. The following flowchart is designed to help you determine if BAA are needed for your agency.


The following flowchart is designed to help you understand the network of BAA agreements required for all entities to provide complete HIPAA coverage if a covered entity (health care provider) decides they need to provide the agency with health care information. Since interpreters are almost always considered by the agency as subcontractors they each would need a BAA agreement between them and the agency.

Please let us know if any source websites are updated and links no longer work or fails to contain the source information.