The Health Insurance Portability and Accountability Act of 1996 is almost hitting its 20th year. When people hear “HIPAA” they usually think doctors and nurses – people who are directly involved in patient care. But HIPAA covers more than just the immediate care givers. The traditional people and groups that are required to comply with the security and privacy aspects of the HIPAA mandate are usually well understood: doctors, nurses, psychologists, health insurance companies, HMOs, Medicare, Medicaid, and VA hospitals. You may also know that pharmacies, dentists, nursing homes, chiropractors, and healthcare clearing houses must also follow HIPAA requirements. These are considered Covered Entities, or CEs.
In 2013, the HIPAA Omnibus rule was enacted – this broadened the scope of entities that had to meet the same privacy and security requirements as covered entities. These business associates, are entities that may be part of a process that involves handling or viewing health information – such as contractors, attorneys, transcriptionists, and accountants.
Basically, BAs now face the same fines and penalties that CEs do when hit with a breach of security of privacy. Most don’t know however how entities are fined. It turns out the Office of Civil Rights (OCR), part of the Department of Health and Human Services, is responsible for both investigating complaints of HIPAA violations as well as assigning penalty and fines. These fines range from $100 to $50,000 per incident depending on the type of violation (e.g. losing a single record is a single incident) and also depends on severity and intent. Losing a laptop with thousands of records can add up. One of the largest fines was imposed in 2014: $4.8 million against New York Presbyterian Hospital and Columbia University. You can read the HHS press release here.
While most CEs and BAs have already gone through this exercise, it’s not a bad idea to review:
- Reassess your security risks across your organization
- Continue to educate your work force about HIPAA and how to protect patient information
- See if new technology and tools can improve how you address the administrative, technical, and physical safeguards that HIPAA requires when working with ePHI
- Review your breach response plans – addressing the issue immediately rather than neglecting to implement corrective actions will amplify the potential fines and penalties
Organizations that must comply with HIPAA have to be continually vigilant. For example, in the last few years, many healthcare organizations are struggling with shadow IT such as Dropbox and Google Drive that’s been installed without their knowledge – these applications that can lead to violations through data leakage, both intentional and unintentional. Investing in tools that provide more IT controls, visibility, while still providing the ability to share information is important. Think of it as health insurance – you hope you never need it, but when you do, you’d better have it – a few IT dollars spent now may prevent a major HIPAA fine in the future.