The Health Insurance Portability and Accountability Act (HIPAA) has established standards for the protection and management of private patient information. There are severe criminal and civil penalties for violations of the compliance regime, and healthcare practices and those who do business with them which provides direct or indirect access to data are caught by the provisions of the legislation.
In broad terms, anyone who has access to, manages or works with Protected Health Information (PHI) must put in place physical and network security measures, and also establish process security too
Those covered by the law are divided into two categories. Covered Entities (CE) are any person or organization which provides treatment, pays for treatment (in the form of an insurance company, not a private individual), or operations in the healthcare industry. The second class are referred to as Business Associates (BA) and these include any entity with access to PHI, supports treatment of patients, or is involved in payment processing or healthcare operations. The law has been extended to catch subcontractors and close business partners of BAs too.
Two Main Rules of HIPPA
HIPAA has two main rules: the Privacy Rule and the Security Rule. The HIPAA Privacy Rule covers the issues surrounding capturing, saving, access control and the sharing of any patient information. The HIPAA Security Rule lays down national standards enforced at federal level, for protection of PHI at all stages of its life, from access, storage, transmission across networks and how it is maintained.
The Security Rule lays down broadly framed provisions for what a CE or BA must put in place, however there is a great deal of discretion allowed. For instance, you must protect against a “reasonably foreseeable risk” to PHI, and your protective steps must also be “reasonable” – what this means in practice is that CEs and Bas are exposed to the capricious nature of what is meant by “reasonable.”
HIPAA and Healthcare
Ensuring HIPAA compliance using an in-house team is exceptionally difficult for all healthcare providers and their associates, unless they are extremely large and have the resources and budgets to build a compliance team of specialists. In practice, most healthcare providers subcontract out HIPAA compliance efforts to specialist providers who are experienced in such matters, and this is a more secure and cost-effective manner in handling it.
Note however, simply by engaging a third-party professional does not in any way remove liability for compliance with HIPAA from the CE or BA. This makes it absolutely essential that who the third-party providers is, that they have the skills, experience, stability and technical understanding of HIPAA and the steps required to protect your patient information and data.
Does HIPPA provides penalties for raging up
HIPAA provides for both criminal and civil penalties ranging up to one year in jail and $1.5 million fines, but this is per violation, or per individual patient record that is compromised. Fines are very common for violators, including first-time offenders, however the ability to impose crimpling fines on a healthcare professional or practice can put them out of business. More than this, major offenders are placed on the Wall of Shame maintained by the Department of Health and Human Services (HHS) website.
Jenny Ford writes on healthcare and IT issues and is currently working on a Whitepaper covering HIPAA and data protection for Swift Systems.