For healthcare companies, HIPAA is a major concern. Not a "buzz word," HIPAA refers to some very real regulatory and privacy issues which all providers have to take into account. This blog will help providers better understand what HIPAA is and how to properly comply with it.
HIPAA compliance matters because it helps ensure that medical records are stored in a consistent format, protects patient privacy, and improves the ability to send information to hospitals and other doctors as needed, with fewer errors.
Overview of HIPAA
HIPAA stands for the Health Insurance Portability & Accountability Act. Passed by Congress in 1996, HIPAA is in intended to ensure the following:
- That patients can transfer their records when they change health insurance. In the past it was not uncommon for patients to have to go over their entire medical history again.
- That health care fraud and abuse is reduced.
- That all health care information is stored according to industry-wide standards, and
- That protected health information is handled in a secure and confidential manner.
Protected health information covers all information that relates to an individual's physical or mental condition, the health care they have been provided, and related financial data. If the information can be attached to a specific person, it is protected regardless of the format in which it is stored. (So, yes, HIPAA does also apply to print outs and files, although it's generally associated more with electronic and digital information).
How does HIPAA ensure Portability of Records?
HIPAA ensures that records can be transferred to a new insurer or provider. It is not necessary to gain patient consent for each time information is provided to another health care provider, such as a specialist. The law requires providers to give copies of all protected health information to the patient themselves and to a provider or insurer at the patient's request. Since 2013, the time limit for this is 30 days.
How does HIPAA Protect Patient Information?
Healthcare companies are often the target of hackers. HIPAA helps healthcare companies keep patient information secure by requiring such things as limiting staff access to PHI. The rules also say that:
- Companies should have a good cyber security policy, such as requiring laptops be encrypted if they are taken off-site or training employees in good cyber hygiene.
- Data breaches must be reported to HHS by 60 days after the end of the calendar year in which the breach was discovered for minor breaches (less than 500 individuals) or within 60 days of discovery for major breaches.
- Patients affected by a breach must be notified within 60 days of discovery.
If you have a data breach and HIPAA determines that negligence or poor habits were involved then you may be fined for a HIPAA violation. Common causes of violations include:
- Laptops, phones, flash drives and other devices being stolen or lost
- Hacking or malware, including ransomware
- A third party associate leaking information
- PHI being sent to the wrong person (watch that reply all...)
- PHI being discussed face-to-face outside the office
- Ill thought out social media posts
Although you cannot always keep from being hacked, the other common issues can easily be dealt with with proper protocols and training.
Why is Compliance Important?
There are two main reasons why HIPAA compliance is so important:
1. A data breach can affect your reputation and cause both existing and new patients to go elsewhere. American Medical Collection Agency, which provided billing services to a number of organizations, actually went bankrupt in 2019 after a major data breach.
As more of these breaches hit the news, patients and families may start asking hard questions about the billing services a provider uses or how they keep their data safe. In some cases, patients have filed law suits against providers they saw as being careless with their data.
2. HIPAA violations can result in severe criminal penalties. There are four tiers of HIPAA violation, ranging from Tier 1 (for genuine accidents, where the person was unaware of the violation and would not have uncovered it with due diligence) through Tier 4 (for willful neglect). Fines can range from $117 per violation for tier 1 all the way up to $58.490 per violation for tier 4.
Fines are adjusted for inflation, and these figures are as of November 5, 2019. Fines can be applied on a daily business, and as attorneys general can issue fines, fines may be charged in more than one state. Employees can sometimes be found criminally liable, and may face as long as 10 years in jail. Thus, it's absolutely vital to provide proper training, as even an accidental violation can result in significant fines.
HIPAA compliance is part of the cost of doing business for healthcare companies. Ensuring that you and your employees stay within the law requires first ensuring that everyone knows what the law is, and second practicing good cyber security.
If you need more help and advice on how to stay HIPAA compliant, contact WheelHouse IT today.