Small health care providers, such as private practices and dental offices, can sometimes get intimidated by the thought of HIPAA compliance and what that means.
But not complying with HIPAA guidelines can mean higher fines in the case of a breach of protected health information (PHI). The regulation uses a sliding scale, and companies found to be negligent when it comes to a violation face stiffer penalties than companies that did all they could to prevent a breach.
HIPAA penalties range from $100 to $50,000 per incident or each breached record, up to $1.5 million per year.
Compliance with this regulation impacts just about every part of a Houston businesses’ technology infrastructure. This includes how data is transmitted and stored, employee training, and what types of cybersecurity strategies are in place.
Understanding what’s required under HIPAA is the first step to compliance. Once you see how each part connects, you can gain a better understanding of what your company has to do to be compliant.
Here’s a HIPAA “cheat sheet” to get you started.
Who is Required to Comply with HIPAA?
Is your organization required to comply with HIPAA? The short answer is, if you handle protected health information in any way, then you will fall under this guideline and are a “covered entity.”
Covered entities that need to comply with the guideline include
- Health plans
- Health care clearinghouses
- Any health care provider that transmits electronic health information
- Business associates that help carry out healthcare activities or functions
What Does HIPAA Do?
In a nutshell, HIPAA is designed to create a national standard for protection of patient rights and sensitive patient health information.
Some of the key goals of these rules include:
- Give patients more control over their health information
- Create boundaries on use and release of PHI
- Establish safeguards that health care providers must follow to protect the privacy of health information
- Hold those that violate HIPAA rules accountable
HIPAA Includes 4 Separate Rules
There are four different HIPAA rules that companies need to comply with. These include:
- HIPAA Security Rule: This rule covers data security safeguards of PHI and what’s known as electronic PHI (e-PHI). Including technology safeguards and physical security.
- HIPAA Privacy Rule: This rule applies to all covered entities, with the exception of business associates. It includes provisions for patient access to their PHI, privacy notices, and regulatory standards documentation.
- HIPAA Breach Notification Rule: This sets parameters for a “minor breach” and “meaningful breach” and requirements for what needs to happen with each one. It includes deadlines for when breach notifications must be made.
- HIPAA Omnibus Rule: This relates to the necessity of Business Associate Agreements and states that they must be executed before PHI can be transmitted.
What Are Some Common HIPAA Violations?
To get a good feel for what not to do when it comes to HIPAA compliance, it’s a good idea to review HIPAA violations, which are public.
Here are a few of the common violations that have occurred so far in 2020:
- Failure to honor right of access of patient to their health records
- Failure to terminate a former employee’s access to PHI
- Data breach of a database containing patient records
- An unencrypted laptop was stolen, allowing access to PHI
In one case, a small health care provider, Agape Health Services, had to pay $25,000 in fines due to multiple HIPAA violations, which included the impermissible disclosure of over 1,000 PHI records to an unknown email account.
Safeguards That Fall Under the HIPAA Security Rule
The HIPAA Security Rule is one that businesses tend to worry about the most because it involves the physical and digital security of protected health information.
Here are some of the main facets to this rule that businesses need to be aware of:
- Risk Analysis: An IT risk analysis helps businesses identify areas of vulnerability in their IT infrastructure needed to protect PHI. It also shows a good faith effort to comply with HIPAA.
- Administrative Safeguards: This includes things such as employee HIPAA awareness training, data access policies and procedures, and documentation of HIPAA compliance activities.
- Technology Safeguards: This includes the protections you put in place to safeguard PHI from being compromised, like a firewall or managed IT services.
- Physical Safeguards: This includes physical building security and security of devices like laptops or tablets that contain PHI or access to PHI.
- Cyber Attack Response: This includes the response plan you have in place to mitigate the damage from an attack and report any breaches per HIPAA breach notification guidelines.
Make HIPAA Compliance Easy by Working With Digital Crisis
Digital Crisis can help your Houston area business with HIPAA compliance, taking the burden off your shoulders. We’ll worry about your data security, so you can focus on your company.
Contact us today to schedule a consultation. Call 713-965-7200 or reach us online.