If you work in the healthcare industry, it’s certain you’ve heard the term “HIPAA” a few times. Whether or not you’re working for an office that’s HIPAA compliant, patients’ medical record security and privacy are important to everyone. It helps to know a bit about HIPAA history and its importance.
So what is HIPAA? The simple answer: the Health Insurance Portability and Accountability Act of 1996. Although the rules and regulations surrounding the act can seem complex, the goal of HIPAA is actually quite simple. Patients have the right to keep their medical records private and secure from anyone they don’t want viewing them. Only authorized healthcare personnel with a need to know patient details should be allowed to view these sensitive documents.
About Privacy and Security
The rules about HIPAA regarding patient record privacy and security are both similar and different. Patients have the right to privacy and can authorize who is allowed to view their medical records, or see and hear sensitive information (such as a family member receiving medical information on their behalf). Medical records in every form–paper, oral, and electronic–must at all times remain secure and safe from unauthorized people. This includes all methods of storage, as well as verbally or electronically releasing patient information. Every member of a HIPAA compliant office must be trained and tested on proper procedures, in order to keep patient records private and secure.
In addition, all medical records must be accurate and readily available to those with the need to know the information contained in the documents.
Penalties for Security Breaches
Penalties for failing to comply with HIPAA regulations are severe–personnel have lost their jobs, offices have been closed, and fines have been levied against businesses that accidentally or knowingly released sensitive information. Jail time is even a potential penalty, which stresses the importance HIPAA has to the healthcare community.
With the ever-changing government rules regarding HIPAA compliance, the process of becoming HIPAA compliant can seem daunting, confusing, and time-consuming. Many regulations that were in place at the time of your analysis last year may now be outdated or changed.
However, as you know, it’s vital to adhere to HIPAA compliance requirements to avoid the severe consequences that can result from a security or privacy breach. Health providers, plans and clearinghouses have a legal responsibility to the patients and entities they serve to keep records private and safe from those without the authorization to view them. To ensure optimum patient record security, health care companies must conform in every way to standards that keep sensitive physical, software and network information secure.
Requirements for HIPAA Security and Privacy Compliance
It’s not enough for office managers and those in charge to understand the rules for HIPAA security compliance; each employee must be trained and educated in the procedures that safeguard patient records, from locking computers that are not in use, restricting storage equipment and staff areas only to authorized personnel, and keeping sensitive patient information from prying eyes and ears. Even one accidental slip can lead to a security breach, which in turn can lead to costly fines.
HIPAA Security Risk Analysis
As a result of the changes driven by The HITECH (Health Information Technology for Economic and Clinical Health) Act, all Covered Entities and Business Associates must be compliant and completing a formal Security Risk Analysis is a crucial step in doing so. Enforcement of compliance has increased significantly over the last year and includes the following:
- Mandatory audits
- Business associates must comply with new laws
- Subcontractors must comply With new laws
- Non-compliance fines are being enforced
- Stiffer penalties
- Jurisdiction provided to state attorneys general to file civil actions against violators
Because of this, it is more important than ever before, to build your organization’s risk management program on a methodical and proven software solution.
Enforcement Results as of the Date of This Summary
Since the compliance date of the Privacy Rule in April 2003, OCR has received over 130,748 HIPAA complaints and has initiated over 885* compliance reviews. We have resolved ninety-six percent of these cases (125,472).
OCR has investigated and resolved over 24,477 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the HIPAA rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate, which may include settling with the entity in lieu of imposing a civil money penalty. To date, OCR has settled 33 such cases resulting in a total dollar amount of $33,689,200. OCR has investigated complaints against many different types of entities including national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices. In another 10,979 cases, our investigations found no violation had occurred. Fluctuation is due to the re-classification of cases to accurately reflect the type of review initiated.
Additionally, in 13,041 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.
In the rest of our completed cases, (77,275) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:
- OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA
- The complaint is untimely or withdrawn by the filer. The activity described does not violate the HIPAA Rules
- The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure
From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Use or disclosure of more than the minimum necessary protected health information
- Lack of administrative safeguards of electronic protected health information
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
- Private practices
- General hospitals
- Outpatient facilities
- Health plans (group health plans and health insurance issuers)
Find out more about our partnership with HIPAA One.
Upon completion of this quiz, your results will be emailed instantly, along with actions to take (if any) to safeguard your organization against potential compliance issues.