The Health Insurance Portability and Accountability Act (HIPAA) is a set of laws that govern the protection of sensitive patient health information. Within HIPAA, there is a subset of regulations including the HIPAA Privacy Rule and the HIPAA Security Rule. It is important to understand the specifics of all, since each one governs different aspects of health information.
For organizations that handle protected health information, maintaining HIPAA compliance is not optional. Knowingly or unknowingly violating HIPAA can lead to hefty fines and even potential jail time, depending on the severity and frequency of the offense.
Some of the biggest data breaches in history have involved the release of protected health information (PHI). For instance, Health Share of Oregon suffered a data breach when a laptop with unencrypted PHI was stolen. Personal information of more than 650,000 members was obtained by the cyber thieves.
Do you handle PHI? If so, you’re bound by HIPAA.
Does your organization process, handle, manage or store protected health information? If so, maintaining HIPAA compliance is crucial. Not only are the penalties for noncompliance steep, but individuals have a right to keep their personal health information private.
Below is a brief overview of the HIPAA Act, as well as some helpful tips on how to maintain HIPAA compliance in your organization.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to mandate national standards for protecting patient health information from being disclosed without their knowledge or consent.
The HIPAA Privacy Rule was enacted under HIPAA in 2000 as a way to establish regulations to meet HIPAA requirements. For example, the Privacy Rule governs how and when a patient’s health information can be used, disclosed and accessed both on and offline. The Privacy Rule also grants individual patients the ability to control how their private health information is used to a certain extent. The Privacy Rule refers to this information as Protected Health Information or PHI.
The HIPAA Security Rule was enacted in 2003 and governs the protection of electronic health information (ePHI). This rule requires organizations to have a system in place to maintain ePHI securely at all times; including when one creates, receives, maintains or transmits ePHI. The Security Rule also requires organizations to mandate workforce compliance.
Who is subject to HIPAA regulations?
Entities subject to the HIPAA Privacy Rule are called “covered entities,” which typically includes the following individuals and organizations:
- Healthcare providers. This includes individual doctors, nurses, surgeons and even healthcare organizations and hospitals.
- People who process or store health data. Anyone who works with private health data is considered a “covered entity,” including individuals working in claims and benefits departments, referral authorization requests and even web hosts storing data or hosting applications used by healthcare providers.
- Insurance companies. Any company that pays for a person’s medical care or prescriptions is subject to the HIPAA Privacy Rule. For instance, Medicare and Medicaid are covered entities, along with companies that handle dental insurance payments, vision care payments and discount prescription drug programs. Also included in this list are group health insurance plans with 50 or more participants provided by organizations such as churches, employers and the government.
- Business associates. Any person or business hired to perform tasks that involve handling private healthcare information for a covered entity are themselves considered covered entities.
What is protected health information (PHI)?
PHI includes, but is not limited to the following:
- Diagnostic images
- Medical records for adults and minors
- Any indices of patients
- Lab results
- Medical bills
- Surgical procedure registries
- Prescription drug histories
- Appointment dates and times
When permission is not required to disclose information.
There are some situations that do not require permission to use or disclose PHI.
These exceptions include:
- Disclosing PHI to the individual, such as when accounting for disclosures or granting access
- When a healthcare professional discusses a patient’s information for the purposes of providing treatment, accepting payment or otherwise providing healthcare services
- When the law requires disclosure
- When the patient is a victim of abuse or domestic violence
- During court proceedings
- For some research purposes
- When organ or tissue donation is involved
- To prevent or mitigate a serious threat to public health and safety
- When processing workers’ compensation claims
Penalties for non-compliance are steep.
The circumstances surrounding each violation will determine the penalty, but in general, the range of penalties varies depending on case circumstances:
- Accidental violations (without knowing): $100–$50,000 per violation, up to $25,000–$1.5 million per year
- A violation from reasonable cause: $1,000–$50,000 per violation, up to $100,000–$1.5 million per year
- Willful neglect: $10,000–$50,000 per violation, up to $250,000–$1.5 million per year
- Willful neglect and failure to correct the violation: $50,000 per violation, up to $1,000,000–$1.5 million per year
You can’t sneak past HIPAA; organizations are frequently fined for violations. In one such instance, the University of Rochester Medical Center lost a flash drive and a laptop containing PHI that wasn’t encrypted. The end result was a $3 million settlement.
How to comply with the HIPAA Privacy and Security Rules
To ensure your organization complies with all HIPAA regulations, you need a system and strategy in place to handle the following:
- Hire an outside organization to assess your current security systems and strategies and fix any areas that need reinforcement.
- Encrypt all data end-to-end, including email communications, without exception.
- Ensure all personnel adheres to strict guidelines governing PHI.
- Implement a strict IT security policy that governs access by device, not by user.
- Make sure all employees know not to post about their experiences with patients on social media. Healthcare workers, including EMS workers, have been sued for social media posts that violate HIPAA.
- Strengthen your contracts with individuals, organizations and independent contracts binding them to operate according to your security standards.
- Hire a provider to test vendor cybersecurity. If you’re using software provided by a third-party vendor and you handle PHI, you will be held liable for violations caused by your vendor’s security oversights. Unfortunately, third parties are a main source of all data breaches.
Need help assessing vendor cybersecurity for HIPAA? Panorays can help.
You can’t take chances with your vendors. If they’re not following cybersecurity policies that meet HIPAA standards, the data you process is at risk, meaning your organization is at risk as well.
Panorays can assess the strength of your vendors’ security posture and suggest ways to strengthen it. To learn more, request a free demo today.