What does HIPAA compliant mean? What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act. Set in place in 1996, this federal law required the creation of national standards so as to protect the rights and privacy of patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, relates to the use and disclosure of an individual’s health information. This “protected health information” addresses an individual’s rights to information, their access to and control over said information. A whopping 41% of Americans have yet to see their own personal health information. However, 8 out of 10 individuals who have viewed their medical records online have found the information useful.
Individual rights under the privacy rule include:
- Access to information
- Request amendments or changes to medical records
- Statement of disagreement
- Restrictions requests
One of the most important roles of the Privacy Rule is to safeguard an individual’s information while also allowing the information to circulate enough so as to ensure high-quality healthcare for that individual. There is a balance to it all, and can be very difficult to keep up with alone.
IT services can be very important to aid in ensuring that this law is protected for you and your employees. There are a number of ways IT can help:
- Strong passphrase and password creation
- Ransomware creation – encryption software to protect devices
- Safety from and knowledge about your dark web presence
- Cloud services for data backup
- Secure texting and messaging solutions
And many more.
The Security Standards for the Protection of Electronic Protected Health Information, or Security Rule sets in place a national set of standards to protect certain health information that is accessed or transferred through electronic means. According to the US Department of Health & Human Services, “the Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).” The hipaajournal.com lists a series of specifications found in the Security Rule that guarantee HIPAA compliance and security in relation to technology. Some of these include:
- All Protected Health Information (PHI) must be encrypted at rest and in transit.
- Each medical professional authorized to access and communicate PHI must have a “Unique User Identifier” so that their use of PHI can be monitored.
- The use of any technology to comply with HIPAA must have an automatic log off to prevent unauthorized access to PHI when a mobile device is left unattended (this also applies to desktop computers).
These rules are set in place for a reason. If you or your company are not aware of these rules or the rights available to you, it is very important for you to begin to understand why some businesses NEED to be HIPAA compliant.
Not all companies are required to be HIPAA compliant. Only companies that have access to protected health information (PHI) are required by law to be compliant. Covered entities are some of the required businesses. These include health plans (Medicare, HMOs, Medicade, etc.), healthcare clearinghouses, and healthcare providers are required by law to be HIPAA compliant. If you are a Business Associate for these Covered Entities, however, you are also directly liable for compliance with certain HIPAA requirements. A Business Associate can a vendor or subcontractor who has access to PHI. To give you an idea of what sorts of Business Associates are out there, here are a few examples:
- Data processing firms or software companies that may be exposed to or use PHI
- Medical equipment service companies handling equipment that holds PHI
- Shredding and/or documentation storage companies
- Consultants hired to conduct audits, perform coding reviews, etc.
- Lawyers
- External auditors or accountants
- Professional translator services
- Answering services
- Accreditation agencies
- E-prescribing services
- Medical transcription services
If you’re wondering if your company falls under any of those categories, here are a few that do not qualify as Business Associates:
- Covered Entity’s Workforce
- Individuals or companies with very limited and incidental exposure to health information, such as a telephone company, electrician, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
If you handle PHI in any way, you should really look into becoming HIPAA compliant. It can be an arduous task, so what could happen if you are not compliant?
To put it lightly, depending on the perceived level of “negligence” a fine can be as minimal as $100. If the violator is lucky, the violation could be dealt with internally by an employer.
To put it less lightly, if you are fined for willful violations of HIPAA rules, the minimum fee is $50,000. The maximum criminal penalty is $250,000. This does not include compensation that may be required to pay the victims. Similarly, as this is a federal act, there may be a required jail term on top of the financial penalty. This could be on top of job termination and facing sanctions from professional boards.
Of course, it all depends on the nature of the violation, whether the violation was intentional or unintentional, if there was action taken to correct the violation, if harm was caused, how many people were impacted, etc. The best way to ensure that this does not happen to you or your business is to just become HIPAA compliant.
Need help, we are here for you. Reach out to us on our website https://www.responsivetechnologypartners.com/cyber-security-and-compliance/
Or call us at (877) 358-9388
-
Sources:
https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
https://www.healthit.gov/sites/default/files/YourHealthInformationYourRights_Infographic-Web.pdf
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
https://www.truevault.com/blog/do-i-need-to-be-hipaa-compliant.html
https://www.hipaajournal.com/what-happens-if-you-break-hipaa-rules/
