For healthcare companies, HIPAA is a major concern. Not a “buzzword,” HIPAA refers to some very real regulatory and privacy issues which all providers have to take into account. This blog will help providers better understand what HIPAA is and how to comply with it properly.
HIPAA compliance matters because it helps ensure that medical records are stored in a consistent format, protects patient privacy, and improves the ability to send information to hospitals and other doctors as needed, with fewer errors.
Overview of HIPAA
HIPAA stands for the Health Insurance Portability & Accountability Act. Passed by Congress in 1996, HIPAA is intended to ensure the following:
- Patients can transfer their records when they change health insurance. In the past, it was not uncommon for patients to have to go over their entire medical history again.
- Healthcare fraud and abuse are reduced.
- That all healthcare information is stored according to industry-wide standards, and
- That protected health information is handled securely and confidentially.
Protected health information covers all information related to an individual’s physical or mental condition, the health care provided, and related financial data. If the information can be attached to a specific person, it is protected regardless of the format in which it is stored. (So, yes, HIPAA applies to printouts and files, although it’s generally associated more with electronic and digital information).
How does HIPAA ensure the Portability of Records?
HIPAA ensures that records can be transferred to a new insurer or provider. When information is provided to another healthcare provider, such as a specialist, it is unnecessary to gain patient consent. The law requires providers to give copies of all protected health information to the patient themselves and a provider or insurer at the patient’s request. Since 2013, the time limit for this is 30 days.
How does HIPAA Protect Patient Information?
Healthcare companies are often the target of hackers. HIPAA helps healthcare companies keep patient information secure by requiring such things as limiting staff access to PHI. The rules also say that:
- Companies should have a good cyber security policy, such as requiring laptops to be encrypted if they are taken off-site or training employees in good cyber hygiene.
- Data breaches must be reported to HHS by 60 days after the end of the calendar year in which the breach was discovered for minor breaches (less than 500 individuals) or within 60 days of discovery for major breaches.
- Patients affected by a breach must be notified within 60 days of discovery.
If you have a data breach and HIPAA determines that negligence or poor habits were involved, you may be fined for a HIPAA violation. Common causes of violations include:
- Laptops, phones, flash drives, and other devices being stolen or lost
- Hacking or malware, including ransomware
- A third-party associate leaking information
- PHI being sent to the wrong person (watch that reply all…)
- PHI being discussed face-to-face outside the office
- Ill thought out social media posts
Although you cannot always keep from being hacked, the other common issues can easily be dealt with proper protocols and training.
Why is Compliance Important?
There are two main reasons why HIPAA compliance is so important:
1. A data breach can affect your reputation and cause existing and new patients to go elsewhere. American Medical Collection Agency, which provided billing services to several organizations, went bankrupt in 2019 after a major data breach.
As more breaches hit the news, patients, and families may start asking hard questions about the provider’s billing services or how they keep their data safe. Furthermore, patients have sometimes filed lawsuits against providers they saw as careless with their data.
2. HIPAA violations can result in severe criminal penalties. There are four tiers of HIPAA violation, ranging from Tier 1 (for genuine accidents, where the person was unaware of the violation and would not have uncovered it with due diligence) through Tier 4 (for willful neglect). Fines can range from $117 per violation for tier 1 all the way up to $58.490 per violation for tier 4.
The fines are adjusted for inflation, and these figures are as of November 5, 2019. Fines can be applied on a daily business, and as attorneys general can issue fines, fines may be charged in more than one state. Employees can sometimes be found criminally liable and may face as long as 10 years in jail. Thus, it’s absolutely vital to provide proper training, as even an accidental violation can result in significant fines.
HIPAA compliance is part of the cost of doing business for healthcare companies. Ensuring that you and your employees stay within the law requires ensuring that everyone knows the law. Then, practicing good cyber security.
If you need more help and advice on how to stay HIPAA compliant, contact WheelHouse IT today.