HIPAA, the Health Insurance Portability and Accountability Act, has been a term of concern for the past few years for every healthcare provider and individual. Congress enacted HIPPA in 1996 to ensure the efficiency and standardization of healthcare as well as to enhance access to healthcare. What most business owners do not know is that HIPAA affects everyone. HIPAA affects those within education, non-profits, private practices, major corporations and even the government.
This is why the HIPAA privacy rule was created. The HIPAA Privacy Rule prohibits the release of any protected medical information to a third party without the consent of the authorized individual’s valid signature. Provisions of healthcare, the payment of the provisions of healthcare and a person’s future, present and past health condition(s) all fall under protected medical information. If a hospital or healthcare provider shares personal medical information an individual can sue due to the risk of healthcare and identity fraud.
If your healthcare provider is hosting data with a HIPAA compliant provider and deals with protected heath information (PHI) it is law, according to the U.S. Department of Health and Human Services, for them to have specific technical and physical precautions in place. Here is what you need to know about those precautions:
- The aid in the prevention of security violations and to identify the source, tracking logs or audit reports must be applied.
- Physical precautions include but are not limited to:
- Reusing, removing and transferring all data that is electronically protected by PHI
- Limited facility access with only approved access in place
- Limited physical access to workstations and electronic data
- Technical precautions include by are not limited to:
- Authorized access only to databases with unique user IDs
- Encryptions and decryptions
- Automatic log-off
- Emergency access processes in place
- Employees should be trained on a regular basis on HIPAA compliance and regulations
When policies and procedures are not properly followed the Office for Civil Rights and/or the Attorney General’s Offices are now levying fines and they are not only going after large corporations. The first settlement concerning HIPAA was at a hospice in Northern Idaho. Fewer than 500 patients’ protected health information was breached resulting in a $50,000 violation.
A small private practice with two locations in New Hampshire and four in Massachusetts faced a HIPAA settlement for not having proper technical procedures and policies in place. There was a breach where nearly 2200 individuals’ PHI was stolen from one of the practice’s employees. The resolution amount totaled $150,000 for the practice.
A dental practice hired a company to securely destroy old paper records of former patients. When the files were discovered in a dumpster behind a church, the practice was hit with a fine of $12,000 for illegally disposing PHI belonging to the patients. The owner of the dental practice believed hiring a third party vendor meant he was following proper procedures.
Do not end up like any of these small businesses and reach out to your local IT provider today. Yes, healthcare is a growing industry but everyone is effected by HIPAA compliance. IT Direct is able to help guard and educate you from such risks and payments.
To find out more about HIPAA please visit HHS.gov.