The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It's been the law of the land for 20 years, and even people who don't work in the healthcare industry are aware of its existence and purpose.
Despite all the publicity, HIPAA violations are surprisingly common. For example, according to enforcement data from the Health and Human Services (HHS) website, in 2015 alone the Office for Civil Rights (OCR) took corrective action to resolve 730 HIPAA violations. Technical assistance was provided to resolve an additional 3,820 complaints.
A HIPAA violation happens when an organization that deals with sensitive patient health data either:
- releases the data without authorization, or
- fails to take all the steps HIPAA prescribes to protect that data.
Most HIPAA violations are not intentional. Often, violations happen not out of malice or willful negligence, but simply because a seemingly innocuous policy or procedure slipped through the cracks.
But when it comes to HIPAA, ignorance is definitely not bliss. Even accidental violations can lead to steep fines.
With that in mind, here's a brief overview that explains what HIPAA compliance is and some of the ways it can affect your organization.
HIPAA Compliance: Who Needs It?
Does your business deal with protected health information (PHI)? If so, it must be HIPAA-compliant. "Covered Entities" under HIPAA include health care providers, health plans, and health care clearinghouses.
But the need for compliance doesn't stop there. If they deal with PHI, your Business Associates (such as your translation provider) and their subcontractors must be compliant as well. A Business Associate agreement should be on file for each business associate. The agreement should:
- Describe how the business associate will use PHI.
- Require that they use HIPAA-compliant safeguards to protect sensitive data.
- Require timely reporting of any data breaches.
And why does a company need to be HIPAA compliant? First of all, if your organization fits into any of the above categories, compliance is the law. And secondly, this law has teeth. Federal fines for HIPAA violations start at $100 (for unintentional violations) and go up to $50,000. The maximum fine is $1.5 million per violation category per year. But that maximum only applies to the Federal government. States' Attorney Generals can get in on the action with fines of their own.
What Must Be Done to Ensure Compliance?
HIPAA aims to ensure that sensitive health information is available to patients, providers, and insurers, when needed, and kept secure the rest of the time.
The HIPAA Privacy Rule provides national standards for disclosure of protected health information. The Security Rule is meant to ensure that protected health information that is stored electronically is stored securely, and is only accessed by individuals who are authorized to view it.
To be compliant, businesses must meet HIPAA standards in the following areas:
Google+ Facebook LinkedIn Twitter Instagram
Businesses must ensure that only authorized individuals can physically access PHI. For example, they must maintain secure offices and workstations. And they must craft policies and procedures to keep track of hardware that might have sensitive information stored on it.
Businesses must have security procedures for accessing PHI. For example, the data should be encrypted. Accessing it should require unique usernames and passwords. And tracking logs should note when it was accessed, and by whom.
Companies must ensure that health data can't be changed or deleted inappropriately. IT policies and procedures for offsite backup and disaster recovery should allow patient information to be retrieved even if something goes wrong on site.
HIPAA-compliant hosting is also required to protect sensitive data. That means the hosting company follows HIPAA-approved security protocols for sending and storing sensitive data. This requirement affects all methods of sending and receiving data, including email, the internet, and private networks.
Protect your customers and your business by seeking out a reputable company that specifically offers HIPAA-compliant hosting. And don't use unsecured or public websites when handling your patients' protected health information. That includes translating it into another language, by the way.
Some big brands are struggling with this: Amazon’s Alexa is not yet HIPAA-compliant.
If you do find that protected health information has made it into the wrong hands, you will need to notify both patients and HHS. Not providing breach notifications when required is also a HIPAA violation!
My organization is required to be HIPAA-compliant. What does that mean to me, and how can it affect my work?
If your organization is required to be HIPAA-compliant, be diligent about protecting patient data. Don't access protected health information unless you need it to do your job. And pay close attention to any and all HIPAA-related training provided by your employer. Violating HIPAA can lead to hefty fines and even jail time!
Want to learn more about how our award-winning project management process can save time and money while ensuring your organization maintains HIPAA compliance? Contact us at firstname.lastname@example.org