Has your office become so comfortable with HIPAA that your staff members’ eyes glaze over as soon as you start talking about it? Maybe it’s time for a refresher on why compliance with this federal law is so important.
According to a blog on HIPAA Journal, state attorneys general can issue fines up to a maximum of $25,000 per violation category, per calendar year. The Department of Health and Human Services Office of Civil Rights can issue fines of up to $1.5 million per violation category, per year.
There are also potential fines for individuals who violate HIPAA Rules and criminal penalties, with some violations carrying a penalty of up to 10 years in jail. Those facts should cause even the most disinterested employee to sit up and listen.
The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, is a federal law enacted by Congress that requires health care providers to protect and keep confidential all personal health information for patients. The law also strictly regulates the use or disclosure of such information without proper patient authorization. The combined text of all HIPAA regulations published by HHS is 115 pages.
There are hundreds of ways that HIPAA Rules can be violated. The HIPAA Journal lists the following as the most common HIPAA violations:
- Impermissible disclosures of protected health information (PHI)
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to provide patients with copies of their PHI upon request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when no longer required
- The disclosure more PHI than is necessary for a particular task to be performed
- Failure to provide HIPAA training and security awareness training
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and mismailing PHI
- Texting PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to document compliance efforts
To avoid a costly compliance issue, health care organizations must implement policies and procedures to ensure all staff members follow the law carefully.
Organization computer networks, data centers, personal computing devices, and all systems should be continuously monitored to prevent unwanted intrusions into personal health information.
Here are some ways your organization can ensure you are in compliance with HIPAA:
- Appoint privacy officers
- Host regular training for the members of your workforce
- Perform HIPAA audits
- Provide a Notice of Privacy Practices that to all patients
“Policies must be incorporated to protect the privacy and security of patient information and employees should be educated from the moment they are hired and continually after, to respect and protect patient privacy,” said Peter McCord, Med3000 President and CEO.
HIPAA Refresher
What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. It is a federal law designed to help protect your health information.
What does HIPAA do?
HIPAA protects the privacy and security of patient medical information in both written and electronic forms and establishes safeguards that health care providers must implement to protect that information. It also sets the terms on which medical information can be transmitted to other providers and to health insurers. It gives patients more control over, and access to, their medical information and sets limitations on the use and release of that information.
What does the HIPAA Privacy Rule require the average provider or health plan to do?
- Notifying patients about their privacy rights and how their information can be used.
- Adopting and implementing privacy procedures for its practice, hospital, or plan.
- Training employees so that they understand the privacy procedures.
- Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
- Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
What information is protected under HIPAA?
The HIPAA Privacy Rule protects “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “Protected Health Information,” which is also referred to as “PHI.” PHI is information created or received by a covered entity that: (i) may relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual; and (ii) identifies the individual who is the subject or based on which there is a reasonable basis to believe that the individual who is the subject can be identified.
The following are examples of identifiers that could be considered individually identifiable information:
- Names
- Address
- All elements of date (except year) for dates directly related to an individual, including birth date, discharge data, date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- E-mail addresses
- Social security numbers
- Vehicle identifiers and serial numbers
- Medical device identifiers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Additional information about HIPAA and patient privacy is available from Health and Human Services: https://www.hhs.gov/hipaa/for-professionals/index.html
