You know what is an easy way to save 1.5 Million dollars? Follow HIPAA’s regulations. This is the amount that companies on average are paying for each HIPAA violation. That is not including possible job loss or jail time. 

So how does one avoid such eye-popping fines and penalties? What exactly is HIPAA anyway, and what does HIPAA compliance mean? Does my company need to comply? And if so, what are the steps to building a compliance program? We look to provide answers to these questions and more. You can then confidently build your company’s Compliance program to protect both patient PHI and your company as well. 

HIPAA Compliance: What Is It?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a set of rules, regulations, and processes for businesses associates and covered entities to follow in order to protect patient Protected Health Information (PHI). A simple way to view it is “keep people’s healthcare data private.”

Compliance with HIPAA primarily affects two industries:

1. “Business associates,” which are industries who have access to patient information and provide support in treatment, payment, or operations. Examples include:

  • Legal
  • Actuarial
  • Accounting
  • Consulting
  • Data Aggregation
  • Management/Administrative
  • Accreditation
  • Financial

2. “Covered entities” are defined as those who provide treatment, payment, and operations in the healthcare industry. 

  • Doctors
  • Nurses 
  • Hospitals 
  • Pharmacies
  • Healthcare plans
  • Healthcare clearinghouses

Three major governmental agencies are involved with HIPAA. 

  • The Department of Health & Human Services (HHS) is the regulator at the federal level. Enforcement is under the Office of Civil Right (OCR) which is part of the department.
  • State Attorneys Generals regulate compliance at the state level. 
  • The Federal Trade Commission (FTC) watches over those organizations that create, maintain, or transmit individually identifiable health information but do not fall under the  business associates and covered entities industries. Examples include the manufacturers of health apps like diet and fitness trackers, and connected devices like wearable blood pressure cuffs. Basically, any products that collect PHI on behalf of consumers falls under this department’s jurisdiction. 

Interesting Fact: HIPAA’s Original Purpose.

Originally the intent of HIPAA was to improve the portability of health insurance when people changed jobs (provide coverage while unemployed) and to reduce healthcare fraud and waste. President Bill Clinton, who signed HIPAA into law in 1996, stated: “The health insurance reform bill I sign today will protect the health care of millions of working Americans and give them and their families something that cannot be measured, peace of mind.” 

HSS has since then rapidly expanded the Act’s reach through a series of rulings:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Omnibus Rule
  • Breach Notification Rule
  • HIPAA Enforcement Rule

The result is today’s HIPAA with its focus on patient privacy and securing their healthcare data.

Importance of HIPAA Compliance

Compliance with HIPAA led to a number of far-reaching changes to patients, their medical records, and the healthcare industry in general.

  • Patients have more control over their health information. They have the right to examine and obtain a copy of their own health records and request corrections. Before HIPAA, there were no requirements for healthcare organizations to release patients’ health information. 
  • Compliance sets boundaries on the use and release of health records. Patients can find out how their information may be used, and about certain disclosures of their information that have been made.
  • Compliance also establishes appropriate safeguards that healthcare providers and others must achieve to protect the privacy of health information. Lack of compliance holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights. Fines for violation range from $100 to $5,000 per violation to a maximum $1.5 million per violation. Violators can even serve jail time.
  • HIPAA-covered entities saw a streamlining of administrative healthcare functions. This is because they have to use the same code sets and nationally recognized identifiers to provide secure transfer of PHI. EMR on medical computers is the most well-known result.

Interesting Fact: Truth Behind HIPAA Myths 

Myth #1: Healthcare providers can share PHI with patients’ employers.

Fact: False. Healthcare providers and health insurance providers are absolutely forbidden disclosing such information to employers without a patient’s explicit, written authorization.

Family members are a different story. Healthcare providers under the Privacy Ruling may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual,” the medical information directly relevant to such person’s involvement with the patient’s care or payment related to the patient’s care.

Myth #2: Providers cannot exchange a patient’s PHI among themselves without that patient’s consent.

Fact: False. HIPAA’s Privacy Regulation specifically states that a covered entity like a provider “is permitted to use or disclose protected health information” for “treatment, payment, or healthcare operations” without patient consent. 

Myth #3: Patients can sue healthcare providers for not complying with the HIPAA Privacy Regulation.

Fact: False. HIPAA does not give people the right to sue covered entities. Instead, they must file a written complaint with the Secretary of HHS via the OCR. The Secretary will then decide if investigation is warranted or not. 

HIPAA Compliance Checklist

Complying with HIPAA is a time-consuming but necessary task especially for covered entities. Here’s a six step checklist to keep one on track. 

  1. Create an internal HIPAA Compliance Team. HIPAA legislation is complicated and ever-changing. HIPAA, through the Security Rule, requires covered entities like healthcare to create positions like the Privacy Compliance Officer, HIPAA Security Officer, and even an “Oversight Committee” to stay abreast of changes to HIPAA regulation. 
  2. Verify if the Privacy Rule affects your organization. The Privacy Rule protects PHI by governing the practice of all covered entities like doctors, nurses to lawyers and insurance providers. Verify if your business is affected by it. Life insurance companies, schools, and law enforcement for example are exempt from HIPAA regulations.  
  3. Verify what PHI is protected. Examples include patient names, addresses, phone numbers, Social Security Numbers, medical records, financial information, and full facial photos. Your Compliance Team should have the most recent list from HHS. 
  4. Prevent potential HIPAA violations. Examples include stolen computers like a laptop or phone; breaks in cybersecurity (hacking, ransomware attack); and EMR breaches. Medical computers and medical tablets can be equipped with integrated RFID readers and biometric scanners to ensure only authorized personnel are logged in. Again, check with your Compliance Team.
  5. Document everything. Make sure you and your Compliance Team document all your company’s HIPAA efforts. Potential breach activities, PHI sharing with other entities, and security measures are examples that should be clearly documented, updated regularly, and communicated throughout the company.
  6. Promptly Deal with data breaches. Under HIPAA, a data breach is simply unauthorized personnel accessing PHI. Companies should have strong cybersecurity programs to keep hackers out as well as proper internal security measures and training. If PHI is compromised, HIPAA’s Breach Notification Rule provides the step-by-step guide to reporting such a breach. This works in conjunction with any internal policies in place for notifying the right parties like law enforcement.  

Closing Comments

The primary aim of the Health Insurance Portability and Accountability Act, or HIPAA, is to protect individuals’ medical records and other personal health information (PHI). Several government agencies led by the HHS have laid out the Rules for business associates and covered entities to follow. If your company falls under these groups and you’re interested in how medical computers can help with HIPAA compliance, contact a representative from Cybernet. 

Also follow Cybernet on Facebook, Twitter, and Linkedin to stay up to date on this and other relevant topics.