A group of regulations under the Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 affects millions of individuals and entities in the United States, changing the daily business operations of organizations in a variety of industries. Are you one of the many whose business has been dramatically altered by HIPAA?
One part of HIPAA protects patients’ confidential medical information. (We won’t explore the other provisions of HIPAA in this article.) The HIPAA Privacy Rule requires that any organization with access to protected health information (PHI) must take all necessary steps to protect this information in all forms: oral, paper, electronic, etc. HIPAA defines PHI as information in any form, oral or recorded, that
“Relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. “
This means that any organization that provides healthcare services of any kind (treatment, operations, billing, collections, etc.) must keep all patient information confidential. This requirement also extends to the business associates and subcontractors of these entities. There are provisions in HIPAA that allow for the sharing of certain PHI with business associates as long as this sharing is within scope. The business associate must sign a Business Associate Agreement (BAA) in which they agree to safeguard the shared information in accordance with HIPAA standards.
In July 2016, the Office for Civil Rights (OCR) within the US Department of Health and Human Services began Phase 2 of an audit program designed to evaluate HIPAA compliance. To best assess compliance across the health care industry, organizations of every size and type are being chosen and any entity or business associate is subject to selection for audit.
Violations and Penalties
Organizations can be charged with violations that are discovered during audits and violations that are reported through complaints filed with OCR. HIPAA compliance breaches can result in both civil and criminal penalties. Civil violations are handled with civil money penalties (CMP). The size of the penalty varies depending on the extent of the violation and the amount of harm done. CMPs may not be assessed if an organization corrects the violation within 30 days of notification. CMPs range from a $100 fine (per violation) for an unknowing violation to $50,000 (per violation) for cases of willful neglect that are not corrected within the allowed time period.
When an entity is found to be in violation of a criminal provision of HIPAA, OCR can send the case to the Department of Justice for further investigation. Violators who “knowingly” disclose PHI face fines up to $50,000 and prison time of up to one year. The penalty increases to $100,000 and 5 years imprisonment for offenses committed under false pretenses. The most egregious cases, those committed with intent to use health information for commercial advantage, personal gain, or malicious harm, can be punished with fines of up to $250,000 and prison time up to 10 years.