The Health Insurance Portability and Accountability Act (HIPAA) mandates that health care organizations protect the privacy of patients’ personal information. Maintaining HIPAA compliance requires several key cyber security measures.
Who Needs to Comply with HIPAA?
All organizations that deal with protected health information must comply with HIPAA, including:
- Health care providers
- Employer group health plans
- Health care clearing houses
- Health insurance companies
- Business associates of any of the above (such as external accountants, medical transcription services, consultants, etc.)
How to Achieve and Maintain HIPAA Compliance
HIPAA Privacy Rule
The HIPAA Privacy Rule is meant to set boundaries on the use and release of health records. It establishes safeguards to protect the protected health information (PHI) of patients.
If your business requires HIPAA compliance, it must give patients a Notice of Privacy Practices (NPP). This states exactly how your company may use their PHI, tells patients how to file complaints if violations occur and provides information about patients’ rights.
HIPAA Security Rule
The HIPAA Security Rule is meant to protect electronic health records (EHRs). It requires companies to have the following to ensure the security of electronic PHI:
- Administrative safeguards. This includes having designated security official in place who may create a process to identify risks, authorize access to information, provide training and review security policies.
- Physical safeguards. This ensures restricted access to data facilities, workstations and devices.
- Technical safeguards. Firewalls, antiviruses and other technical procedures protect from cyberattacks and maintain network security.
HIPAA Breach Notification Rule
In the event that PHI falls into the wrong hands, HIPAA compliance requires that companies notify both patients and the U.S. Department of Health and Human Services.
Under the HIPAA Breach Notification Rule, a breach is defined as “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information.”
Penalties for HIPAA Violations
The Department of Health & Human Services Office for Civil Rights (OCR) investigates complaints and conducts reviews to ensure affected organizations maintain HIPAA compliance. If they discover violations, penalties may occur.
The OCR prefers that organizations willfully rectify their violations, rather than issuing fines. First-time offenders will usually have the opportunity to become compliant without further penalty.
Civil money penalties are calculated based on the severity and nature of the violation. For example, if the OCR determines an organization has a small violation they didn’t know about, smaller fines will be issued.
The OCR may issue fines of between $100 per violation and $50,000 per violation, with an annual maximum of $1.5 million, based on their discretion.
Entities and individuals who knowingly disclose private health information may face fines of between $50,000 and $250,000, and imprisonment of between one and 10 years.
Following the above rules will help your company maintain HIPAA compliance and avoid penalty. Any questions should be directed to your local IT support experts.