If you are a healthcare provider or manage a medical facility of any size, you are probably familiar with HIPAA Privacy Rules. You may also be familiar with the consequences of non-compliance.
In fact, HIPAA fines added up to $28.7 million in 2018 alone.
So, what are the basic HIPAA policies and procedures, and how you avoid fines? We provide an overview to help with your HIPAA compliance management.
What is HIPAA Compliance?
HIPAA stands for Health Insurance Portability and Accountability Act. The goal of HIPAA is to shield the Protected Health Information (PHI).
Along with hard copy records, healthcare providers must also apply with HIPAA Security Rules regarding digital health records (ePHI), which are stored on servers or transferred via inter-office/network systems, emails or through a website.
Who Must Be HIPAA Compliant?
HIPAA rules apply to all medical facilities and providers. An updated HIPAA Omnibus Rule was added to address changes in the way healthcare services are now delivered. The Omnibus Rule includes Business Associates and secondary individuals/businesses that store or transmit medical records.
- Healthcare providers – Hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies & health plans
- Health insurance companies – HMOs, company health plans & government health plans
- Health Care Clearinghouses (Business Associates) – Companies that process healthcare data from one entity to another
The rules also apply to businesses that supply services to medical facilities, such as subcontractors, consultants, storage companies, accountants, lawyers, administrators, IT personnel, and anyone who might have access to PHI or ePHI.
What is Protected Health Information?
As we mentioned, the “Privacy Rule” is designed to protect individually identifying health information or PHI.
- Birth, death or treatment dates
- Contact information
- Social Security numbers
- Medical record numbers
- Finger or voiceprints
- Other unique identifiers
- Past, present and future medical records
The only exclusion applies to employee health records that a covered entity maintains.
What Are HIPAA Policies and Procedures?
There are three aspects to the HIPAA Security Rules.
- Implement access control
- Create protocols for authenticating ePHI
- Implement encryption and decryption protocols
- Create activity logs & audit controls
- Facilitate automatic login/logoff controls
- Implement access controls
- Establish policies for the use of workstations
- Establish policies for mobile devices
- Inventory of hardware
- Conduct risk assessments
- Create risk management policies
- Provide employee training
- Develop & test contingency plans
- Restrict third-party access
- Guidelines for reporting incidents
In all cases, you must obtain written permission from patients in order to share private health information.
Penalties for Non-Compliance
Non-compliance is a serious business. Let any area slip and you could face fines and possible legal action. Ignorance of the law will not count as an excuse, either.
HIPAA fines and penalties:
- Violation related to ignorance = $100 - $50,000
- Violation despite reasonable vigilance = $1,000 - $50,000
- Violation due to willful neglect = $10,000 - $50,000
- Violation due to willful neglect where there is no correction within 30 days = $50,000
Fines are imposed per violation category and are based on the number of records that were exposed, the risk related to the exposure, and the level of negligence.
Compliance Solutions For Businesses
Keeping track of HIPAA policies and procedures can be difficult for many entities. Compliance doesn’t stop with HIPAA rules, either. There are many laws and regulations to meet, from employment laws and safety measures to tax filings.
The consequences of non-compliance can be steep. You don’t have to face these issues alone, however. Alura can help, with a range of compliance management services. Be sure to also read our blog for additional resources and information that is critical to your operations.