The Health Insurance Portability and Accountability Act of 1996 was passed to protect patient information by giving them control over their medical records. Though it may seem like a tedious process, HIPAA compliance is important for many reasons: whether you are a doctor’s office staff member, hospital administrator, or just have personal health records on file. Ensuring that your business or practice is HIPAA compliant can protect you from costly fines and even jail time.
What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, was passed by congress to protect patient information/privacy by giving patients control over their health records. The act is split into 5 sections which are meant to work together to protect medical records for both private citizens and government organizations. Each section covers a different area of privacy and security for medical information. Make sure that you organize Work Training for the entire staff because specific HIPAA training is required. This way you will ensure that everyone understands the importance and proper handling of PHI (protected Health Information).
Quick Guide to HIPAA Compliance
Though it may seem like a lot, there are some easy, straightforward steps you can take to ensure that your business or practice is HIPAA compliant. First, read the entire act itself and become familiar with all of its regulations. Next, determine if your current IT staff has what it takes to update all necessary software and hardware as well as train employees on how to properly work around these changes. Create a data breach plan that ensures all patients are notified within 60 days of their personal information being compromised. Lastly, ensure that you have an up-to-date business association agreement with any third-party vendors used by your business to help them understand how to handle patient records.
Why is HIPAA Compliance Important?
Complying with HIPAA regulations can protect you from costly fines. The Department of Health and Human Services (HHS) has the power to fine organizations $100 per violation, up to $25,000 per year. Many healthcare organizations are required by state laws to follow HIPAA regulations. This can include doctors’ offices, clinics, individual health care providers, and even home health agencies that work with Medicare and Medicaid patients.
For people who work for a publicly-traded company, HIPAA compliance is required by the Sarbanes-Oxley Act. Protecting patient privacy is not only the law, but it’s also the right thing to do. Patients deserve to know that their personal information is safe and will not be shared without their consent.
Who must abide by HIPAA regulations?
While HIPAA is a federal law, it applies to healthcare providers and organizations of all sizes. There are three categories of entities that must comply with HIPAA regulations:
- Covered entities are health care providers, health insurance companies, and any organization or company that creates, receives, maintains, or transmits protected health information (PHI).
- Business associates are companies that help covered entities by assisting with various aspects of their organization. This can include lawyers, consultants, accountants, or any other third parties that work with PHI or electronic protected health information (EPHI).
- Business associates are not employed by the covered entity when working with them, nor do they have patient status concerning PHI or EPHI.
There are exceptions and additional responsibilities for the following:
- Not-for-profit agencies provide some healthcare services but do not bill or receive payments for these services.
- Employers who offer health care benefits to their employees as a group plan, also known as a self-insured plan. This includes medical, dental, and vision benefits.
- State Medicaid programs, which are required to comply with HIPAA regulations.
What are the penalties for not complying with HIPAA?
There are a few different penalties that can be levied against organizations that are not HIPAA compliant. The most common is the imposition of fines by the HHS. These fines can range from $100 to $25,000 per violation, with an annual maximum of $1.5 million. In addition, business associates can also be fined for not complying with HIPAA regulations.
There are penalties for individuals who do not comply with the regulations, as well. If you work at a covered entity and are aware of an issue with PHI or EPHI compliance, you are required to report it within 60 days after the discovery. You may also be subject to fines if you knowingly make a false statement or misrepresentation when it comes to HIPAA compliance.
Best practices for ensuring you are HIPAA compliant
- The first step is to ensure that your business associate agreement (BAA) with all third-party vendors has been updated and they’re clear on their responsibilities when it comes to protecting patient information. If you receive any electronic PHI or EPHI, the next step is to ensure you have the appropriate firewalls in place to protect your data.
- Regular training for all staff members is a must if you want to be compliant with HIPAA regulations. If you are even thinking about hiring new employees that will have access to PHI or EPHI, you must ensure that they have the appropriate training and clearance before allowing them to access this information. You may also want to consider increasing your security if you work with contractors who may be granted some level of access to PHI.
- The next step is more difficult: data breach notification. If there is a security breach or evidence that some PHI has been compromised, you must be proactive and notify patients within 60 days. If you fail to comply with this regulation, you may face a fine from the HHS of up to $75,000 per day for each violation up to a maximum of about $1.5 million per year.
- The last thing you need to do is update your policies and procedures. This means clarifying who has access to PHI, what data they can access, how it must be stored and secured, etc. You may also want to update any written agreements with business associates that reference outdated HIPAA regulations or clauses that are no longer applicable now that the Omnibus Rule has been adopted.
We live in a digital world and the healthcare industry is no exception. With instant access to patient information at our fingertips, IT support becomes an integral part of any healthcare organization. HIPAA compliance has become more complex because of this shift and can put your company at risk if it’s not taken seriously by management or staff members. By following the best practices mentioned above, you can ensure that your business is compliant and minimize the risk of penalties or a data breach.