Unless you’ve been living under a rock since the late 90s, you’ve probably heard of the Health Insurance Portability and Accountability Act (HIPAA), and, like many people, may be confused about what it is and how it affects the way you do business. Put simply, if you’re not clear on your corporate responsibilities to be compliant with these regulations, then you may find your business becomes an unwilling victim of the fallout.
Over the last three decades, technology has been the primary industry driving the progression of business, and that health industry is no exception. With organizations adopting new technologies and processes at lightning speed, it was essential to develop HIPAA to ensure the security of Protected Health Information (PHI) while still allowing covered organizations to embrace new technologies that improve the efficiency and quality of patient care.
So, what exactly is HIPAA, and what does it mean for your business?
What is it?
HIPAA is a 1996 American regulation which united a broad reaching amount of patient privacy and confidentiality directives under one Act. Its enactment was the result of a need for national standards to protect sensitive health information from being shared without the knowledge or consent of the patient. As mentioned, while HIPAA is an umbrella term, it incorporates a subset of rules defining patient data privacy requirements and how patient data is to remain secure in our progressively digitized world.
What is HIPAA compliance?
Essentially, compliance means that you have practices and systems in place which ensure that you are following the laws to the letter. This includes new employee training and re-training of all employees on a regular basis, only working with third-party vendors and partners that understand their role in PHI protection and agree to be compliant, and ensuring that all manner of workplace behaviors, policies, and systems from every department comply with the laws in every way possible.
Fortunately for patients – but perhaps unfortunately for organizations should they violate these laws – it is not enough to claim a lack of knowledge if you are deemed non-compliant. The law is the law, and it is black and white.
Who needs to be HIPAA compliant?
You may think the term ‘HIPAA compliance’, and the ensuing responsibility, is relatively easy to understand at face value, but it probably extends further than you think. Obviously, it is necessary for organizations that deal directly with patients to comply with the laws, but it is also a requirement that all third-party vendors and partners your institution may use are also compliant.
In this way, should an external partner or vendor drop the ball with their own compliance, and it happens to affect your organization and the PHI you are protecting, you will also be held legally responsible.
To be painstakingly clear, HIPAA compliance is required by TWO primary groups:
- Covered entities: any individual, group, or organization providing treatment, payment, and operations in healthcare
- Business associates (Defined or Contracted): any individual, group, or organization who has access to patient information and provides support in treatment, payment, or operations
When it comes to the law, violations can break your organization with some HIPAA violations running into the millions, so what are the primary rules that could affect your business?
HIPAA Privacy Rule
The Privacy Rule is all about, well, privacy. This rule focuses on how an individual’s PHI is used and disclosed as well as providing national guidelines for individuals’ privacy rights to understand and control how their information is used.
The Privacy Rule covers:
- Health Plans: any individual, group, or organization that provides or pay the cost of medical care
- Health Care Providers: any health care provider of any size who transmits health information for the purpose of claims, benefit eligibility inquiries, referral authorization requests, or other transactions highlighted under the HIPAA Transactions Rule
- Health Care Clearinghouses: any individual, group, or organization that processes non-standard information into a standard
- Business Associates (Defined & Contracted): any individual, group, or organization that engages in temporary or permanent work by providing services or activities to the covered entities mentioned above
HIPAA Security Rule
The Security Rule is the rule that guarantees the Privacy Rule is followed. It provides actionable security requirements that are flexible and scalable to allow for policies, procedures, and technologies to be implemented based on an organization’s size, structure, and risk to PHI.
The Security Rule requires organizations to:
- Guarantee the confidentiality, integrity, and availability of all created, received, maintained, or transferred PHI
- Determine and safeguard against reasonable security threats which could harm the integrity of the information
- Protect the information from unauthorized use or circulation
- Guarantee workforce compliance
The 3 areas of HIPAA compliance
Bringing your IT security up to scratch is only some of the battle towards becoming HIPAA compliant, so it is important to remember that there are 3 main areas which will be the focus of your HIPAA audit: technical safeguards, administrative safeguards, and physical safeguards.
To ensure your organization is competent in the 3 areas of evaluation, it is a good idea to get in touch with a third-party HIPAA compliancy expert.
The Cost of HIPAA Violations
If you think a violation won’t cost your organization much, think again. Let’s look at that term ‘violation’.
A violation does not mean one grouped incident. For instance, if your organization experiences a data leak which affects 10 patients, in the eyes of the law, this is not ONE violation; it is TEN! But again, there is more to it.
So, you now have TEN patients who have had their data privacy compromised, meaning TEN violations. The next question is to what extent did your organization know of the situational events that lead to the compromise, how culpable are you, and how proactive was your response. Now, we move to a tiered system to better gauge your organization’s level of responsibility and what penalties are appropriate.
- Tier 1 – $100 – $50,000 per violation (max. $25,000 p/a): Proof of a lack of awareness that a law had been violated despite being thorough in following procedures and processes
- Tier 2 – $1000 – $50,000 per violation (max. $100,000 p/a): Proof that knowledge of the violation was likely with thorough procedures and practices
- Tier 3 – $10,000 – $50,000 per violation (max. $250,000 p/a): Proof of intentional neglect of laws, but the violation was corrected within 30 days of discovery
- Tier 4 – $50,000 per violation (max. $1.5m p/a): Proof of intentional neglect of laws and no further actions made to correct the violation within 30 days of discovery
And this is just the financial damage to your organization. There is also the matter of criminal penalties:
- Tier 1: No knowledge of the violation or likely to have known with thorough processes and practices – up to 1 year in jail
- Tier 2: access to or distribution of PHI under false pretenses – up to 5 years jail
- Tier 3: access to or distribution of PHI for personal gain or with malicious intent – up to 10 years jail
The possible financial and criminal penalties should be enough to show why HIPAA knowledge and compliance is important for businesses, but the ripple effect of non-compliance continues. If you do violate HIPAA and manage to escape the legal gauntlet above, you will still most likely suffer reputational damage, which in some ways can be far more permanent.
Stay smart, stay compliant
Laws can be confusing, but confusion is not an adequate defense when it comes to violations, so it’s better to be smart and do what you can to ensure you are compliant. Merit Technologies has the expertise you need to make your organization HIPAA compliant, so give the team a call today to see what they can do to help you protect your patients.