Organizations that deal with health care need to be very cautious about privacy and security issues. The Health Insurance Portability and Accountancy Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) impose strict requirements on protecting patient information. Failure to comply carries heavy penalties.
Any organization that handles protected health information (PHI) needs to know about those rules, whether it provides health services directly or contracts with providers.
It’s common to refer to the requirements of both acts as parts of HIPAA. We’re following that practice here.
The privacy and security rules
What is HIPAA compliance exactly? Two HIPAA rules are particularly important when handling patient data. The Privacy Rule mandates keeping PHI out of unauthorized hands. The Security Rule requires technical protection of data to ensure that it stays private.
The rules don’t require specific technologies. However, encryption is widely recognized as one of the best ways to protect data. Other practices that support compliance are network firewalls, anti-malware software, and access controls.
The Office of Civil Rights (OCR) handles complaints of non-compliance. Fines and settlements for non-compliance have run as high as $16 million. Willful neglect carries the highest penalties. To avoid being charged with willful neglect, covered organizations should document their security and privacy practices.
Breaches sometimes occur in spite of the best efforts. Covered entities can still be in compliance if they made good-faith efforts and they issue required notifications promptly. Affected patients need to be notified of any breach. If the breach is large enough, HHS and other entities need to be notified. Generally speaking, “large enough” means more than 500 affected patients.
What organizations are affected?
HIPAA defines three categories of covered entities:
Health care providers, such as doctors, clinics, and pharmacies.
Health plans, such as HMOs and insurance providers.
Health care clearinghouses, which process and convert health information.
In addition, business associates that deal with covered entities need to maintain compliance. They aren’t directly under the regulations, but covered entities must require contracts that mandate compliant handling of information. For example, if a clinic uses cloud services to store and manage PHI, it should use only services that guarantee HIPAA compliance.
Risks of non-compliance
Most HIPAA violations are the result of carelessness. Employees who don’t know their responsibilities may mistakenly give information to unauthorized people. They may not understand the security practices they need to follow.
Failure to encrypt data is a common problem. It’s important when transmitting data and when storing it. Unencrypted laptops and phones that hold PHI can result in massive breaches. If a device is stolen and it holds unsecured information, a covered entity is required to assume a breach occurred unless it can prove otherwise.
Paper records are risky too. A serious breach occurred when a large collection of paper records fell off a truck on their way to being destroyed. Whenever PHI leaves a physically protected area, extra caution is necessary.
Whether an organization gets penalized, and how severely, depends on how much information was exposed and how much of a good-faith effort it made at protection. Organizations with a long record of ignoring problems get hit the hardest. If a breach happens, documenting security measures is a valuable defense against being penalized.
Getting expert assistance
Having access to expert technical advice helps greatly with HIPAA compliance. A qualified consultant will assess the risks, advise on the level of compliance, and make recommendations for improving it.
A managed service provider that acts as a HIPAA business associate takes a large part of the compliance burden off your hands. Your data will be protected, and you’ll have documentation of the safety measures. NetStandard has extensive experience in giving its customers HIPAA-compliant data management services. Contact us to learn how we can help.
If you’re a covered entity, making sure you follow HIPAA requirements is essential. Don’t take chances.