Chapter 4: How to Comply with HIPAA Regulations and the HITECH Act
As a healthcare practitioner, you're probably already familiar with HIPAA, the Health Insurance Portability and Accountability Act, which took effect in 1996. The Department of Health and Human Services (HHS) enforces HIPAA. Essentially, the HHS oversees the documentation and dissemination of all patients' healthcare information by medical providers, insurance companies, and billing companies or clearing houses.
An example of a HIPAA violation would be discussing HIV testing procedures with a patient in the waiting room. This is a violation of your patient's privacy because other people in the waiting room would have access to the patient's protected health information.
To maintain HIPAA compliance, you're required to develop and implement policies and procedures for administrative and physical safeguards related to the communication of PHI. This includes training staff in proper patient communication and how to adhere to other HIPAA guidelines.
As the guardian of your patients' protected health information (PHI), you could be heavily fined for HIPAA violations. The following is a breakdown of each type of violation and the price tag it carries:
- Unknowingly violation ($100 - $50,000 for each violation).
- Reasonable cause and not willful neglect ($1,000 - $50,000 for each violation).
- Willful neglect but corrected within time ($10,000 - $50,000 for each violation).
- Willful neglect and without correction ($50,000 for each violation).
Each of these violations can result in up to $1.5 million in fines if you make the same mistake within a calendar year. However, in applying these amounts, the HHS usually doesn't impose the maximum penalty. Instead, the penalty amount is based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors, such as whether or not you comply with the investigation.
HIPAA and HITECH Compliance Tips for Private Healthcare Practitioners
The following are the most common causes of HIPAA violations and some ideas about how to avoid these pitfalls as you treat patients:
- Human error. As we mentioned before, the Office of Civil Rights (OCR) cites human error as the leading cause of HIPAA violations (69 percent). For example, if you leave an unencrypted backup thumb drive with PHI in your car and that drive is stolen, you would be violating HIPAA regulations. And even certain social media comments can constitute a HIPAA violation. The solution? Train your team on HIPAA rules and enforce strict protocol for handling PHI.
- Unencrypted data. The vast majority of data breaches are caused by thefts of unencrypted data. Encryption is the process of converting data into a secret code to prevent unauthorized access. When dealing with encrypted files, be sure to choose a strong password to ensure the code isn't easily broken. You'll also want to change passwords regularly.
- Data stored on devices. Theft of physical records (on a laptop, device, or storage media) accounts for 42 percent of all data breaches , according to Hartford Steam Boiler. A solution for protecting PHI stored on portable devices is to encrypt or password-protect the records. You'll also want to back up records — you don't want to risk losing the only copy of your patients' PHI if your computers or media devices are stolen.
- Business associates. Business associates are a major potential source of exposure for wellness professionals, as they are often charged with carrying your PHI on behalf of your practice. That means you must be selective with your vendors and associates or risk fines for noncompliance. You'll want them to fully understand HIPAA compliance; have dedicated firewall / VPN and antivirus systems in place; and use backup systems and documented, formal policies and procedures. Further, it's wise to choose partners who have adequate Professional Liability or Cyber Liability Insurance in place to ensure that they can cover the costs of any breaches that occur without being forced to shut down operations.
- Lapses in notification. Many HIPAA violations result in serious fines when a business owner neglects to inform affected individuals. HHS requires that individual notifications be provided without unreasonable delay: no later than 60 days following the discovery of a breach. Your notification must include a description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; and a brief description of what you're doing to investigate the breach, mitigate the harm, and prevent further breaches. (Read more about the HHS's breach notification requirements from the HHS website.)
42% of data breaches are caused by theft of physical records.
Next: Chapter 5: How to Find Business Insurance for Your Medical or Healthcare Practice