The Healthcare Insurance Portability and Accountability Act (HIPAA) was adopted in 1996. It seeks to ensure the secure management of healthcare information and outlines guidelines that all healthcare organizations and employees must follow to manage protected healthcare information (PHI). Under HIPAA, PHI is any information that can be used to identify an individual, including:
- Contact information
- Demographic information
- Lab test results
- Insurance information
- Medical history
As technology continues to evolve, the risks facing PHI also grow. It’s now more important than ever for players in the healthcare industry to comply with HIPAA to avoid costly penalties. To understand the significance of HIPAA compliance, it’s best to revisit past cases relating to violations. These cases will provide crucial lessons on how to avoid common HIPAA-related mistakes.
Case #1: Allergy Associates of Hartford, Conn.
Hartford-based Allergy Associates was fined $125,000 after a patient complained to the Department of Health and Human Services about the disclosure of her PHI by a physician at the facility to a reporter. An investigation revealed that the physician disregarded advice from the hospital’s privacy officer not to respond to the media regarding claims that the woman had been turned away from the facility for bringing along her service animal. Following the disclosure, Allergy Associates failed to take any corrective or disciplinary action towards the physician.
Allergy Associates should have disciplined the physician besides taking corrective action to prevent similar incidents from occurring. Had it done so, the facility would probably not have been penalized. This highlights why healthcare entities should take immediate remediation action when such incidents occur and hold employees responsible for their behavior. Likewise, employees should be trained on media protocols to ensure that PHI is not intentionally or unintentionally disclosed to the media as it happened with Allergy Associates.
By Ken Lynch, founder, Reciprocity.
The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including: