The Health Insurance Portability and Accountability Act (HIPAA) was introduced by the federal government in 1996, as a way to enhance the security and confidentiality of health care information. Since its inception, HIPAA has had a vast impact on how sensitive patient information is handled in the healthcare industry. The importance of being HIPAA Service compliant cannot be overemphasized, because failure to adhere to the regulations can result in hefty fines, or prison terms.
Who needs to be compliant?
Under HIPAA, covered entities and business associates are mandated to ensure the privacy of protected health information (PHI). Covered entities include health care providers such as hospitals and physician practices, as well as health plans, and health plan clearing houses. Business associates refer to companies that perform services for a covered entity, and consequently have to receive, maintain, or transmit PHI.
HIPAA Compliance
HIPAA contains comprehensive requirements for companies that hold PHI. They are required to give special attention to safeguarding the physical security of the data, and in addition, access to PHI should be limited to key personnel. Administrators need to be aware of potential threats, and regular security updates are needed to identify possible dangers posed by phishing scams and data hacking.
Covered entities should put a balanced compliance program in place, and ensure that the relevant personnel are aware of HIPAA requirements. They should also evaluate their security controls periodically, and make certain that PHI is encrypted. Data that is encrypted cannot be accessed if it is lost or stolen.
Being HIPAA compliant is important, because it ensures that a covered entity is prepared in the event of an HIPAA audit or investigation.
HIPAA audits
HIPAA has an audit program that randomly selects covered entities for an audit. Audits are carried out by the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS). OCR is responsible for enforcing HIPAA’s security and privacy regulations.
The purpose of the audit is to assess compliance with HIPAA’s privacy and security rules, as well as with Breach notification rules. The Breach notification rule stipulates that if there is a security breach in relation to PHI, the covered entity or business associate must advise the affected individual about the incident. The Department of Health and Human Services and OCR are also to be informed.
The HIPAA audit reviews the processes and operations of the covered entity. It pays to be HIPAA compliant, because any violations or breaches unearthed during an audit may warrant an investigation. If the audit reveals that there is reasonable cause to suggest that the provisions of HIPAA have been violated, OCR may then open an investigation.
HIPAA investigations
HIPAA may carry out an investigation based on the adverse findings of a random audit, or in response to a complaint being filed against a covered entity. Complaints are filed with OCR. The law requires that the covered entities co-operate with the investigation.
HIPAA investigations are best handled by health care attorneys that are fully conversant with HIPAA regulations. However, companies that are HIPAA compliant can mount a more plausible defense if they are faced with an investigation.
Consequences of HIPAA Violations
HIPAA violations relate to:
• Breach of privacy in relation to PHI,
• Violation of the security rule for PHI kept in an electronic format,
• Lapses in notification
There are different categories of violations and also varying tiers of civil and criminal penalties under HIPAA. Monetary penalties range from $100 – $50,000. In cases where a covered entity is believed to have exercised reasonable diligence and was not aware of the breach, the penalty may range from $100 to $50,000 per violation.