Introduction To Becoming HIPAA Compliant
Key HIPAA Terms
Whether you're a medical practitioner, an insurance company, a healthcare clearinghouse, or any number of other businesses that deal with medical information, you must be HIPAA compliant to survive in the current medical industry. That is, you must follow all the guidelines and rules put forth by the Health Insurance Portability and Accountability Act, or face serious, legal repercussions. While there is a lot of information about HIPAA out there, which can be daunting, following the necessary steps, as provided in this guide through information and outside resources, can make this crucial process a little easier to understand and comply with. From knowing about Risk Analysis, to disaster preparedness, to understanding how you should or should not be using a cell phone that contains sensitive material, you will soon be on your way toward HIPAA compliance.
What Is HIPAA Compliance?
HIPAA compliance refers to any medical practice, health insurance plan, third-party clearinghouse, or any businesses involved with healthcare abiding by all the mandates of HIPAA, in ensuring patient information is kept confidential and secure.
HIPAA has a number of components to consider for an entity that lawfully must be compliant. These entities are also referred to as "covered entities."
Being HIPAA compliant means understanding and addressing every patient's privacy and keeping all identifiable health information guarded and secure. It means understanding how to operate Electronic Health Records (EHRs) according to the Privacy and Security Rules. HIPAA compliance means conducting Risk Analysis and Management, having disaster preparation plans in place, partaking in ongoing training, executing agreements with business associates, and more.
In a nutshell, becoming HIPAA compliant, as the Act is primarily known, means protecting all health information from disclosure, except when absolutely necessary for a patient's care.
Why Does Compliance Matter?
HIPAA compliance is extremely important. For businesses or individuals that do not abide by the rules of HIPAA, the penalties can be quite severe. These penalties can be a combination of exorbitant fines and/or jail time.
Additionally, a practice that does not comply with HIPAA will develop a bad reputation, lose customers, and face a plethora of other legal problems. A business would have an immensely difficult time recovering from blatant HIPAA non-compliance once exposed.
On the consumer level, compliance ensures their confidential health information will be kept private and secure, that they will have the ability to access it, and have overall greater trust in the medical system as it develops with new technological advances. They can be sure of greater transparency between them and medical practitioners.
Key Terminology
Administrative Simplification: Attempts to standardize, reduce the cost of, and make electronic transactions more efficient.
ARRA: American Reinvestment and Recovery Act of 2009.
Auditing: Audits are periodic checks of a business, whether internal or external, to make sure the entity is complying with the rules of HIPAA.
Business Associate: Any person or entity that handles or has access to protected health information, that is not a part of the company providing that information.
CPMA: Certified Professional Medical Auditor
Compliance/Non-Compliance: Whether a business or other entity is following all required HIPAA protocol or not.
Covered Entities: All businesses and other industries, i.e. medical care providers, insurance plans, and clearinghouses required to comply with HIPAA.
CMS: Centers for Medicare and Medicaid Services
EMR/EHR: Electronic Medical Records/Electronic Health Records are a digital means of storing and accessing a patient's health information across industries and practices.
EPHI: Electronic Protected Health Information
HHA: Home Health Aide
HIPAA: Health Insurance Portability and Accountability Act
HITECH: Health Information Technology for Economic and Clinical Health Act, enacted in 2009, creates stricter penalties for non-compliance and expands these rules to include business associates of medical offices.
OCR: Office for Civil Rights
Omnibus Rule: Enacted in 2013, includes new data privacy protections and further extends HIPAA obligations to business associates.
Portability: Portability refers to the part of HIPAA (Title I) that deals with health insurance coverage and lapses.
PHI: Protected Health Information is anything regarding a person's care that could be used to identify them, including medical and/or payment history.
RACs: Recovery Audit Contractors
Risk Analysis: The process by which an entity determines the level of risk facing its security measures.
Risk Management: The process of managing the aforementioned risk.
Security/Privacy/Breach Notification Rules: Within HIPAA are the security and privacy rules that keep patient information safe and confidential. The breach notification rule refers to the process of reporting a breach within your business.
Unique Identifier Numbers: These are specific numbers assigned to practices and employers to standardize the identification process for the purposes of HIPAA.
A concise summary of this can be found in the following article.
HIPAA Enforcement
The HHS's Office of Civil Rights (OCR) is responsible for enforcing privacy standards under HIPAA. The Centers for Medicare and Medicaid (CMS) enforce electronic transaction and code standards, as well as the numerous security standards.
The HIPAA Enforcement Rule sets forth provisions regarding compliance and investigations; imposing civil penalties; and procedures for court hearings.
The American Medical Association (AMA) provides a more in-depth FAQ section on the regulations for enforcing privacy standards.
Penalties For Non-Compliance
The penalties for non-compliance are quite severe. They include both civil penalties, as well as criminal ones.
Civil: The penalty for neglecting to abide by the HITECH law can incur a $250,000 fine. With repeated violations or a failure to correct such violations, the fine can rise up to $1.5 million.
Criminal: The criminal penalties for non-compliance range from a $50,000 and one year in prison to $25,000 and a ten year prison sentence.
If an organization is not found to be compliant according to the HITECH Act, it will lose out on government incentive money for implementing EHRs and not be reimbursed once their implementation is complete.
Legal Help For Covered Entities
On a website like this one, you can research legal answers to a number of HIPAA FAQ as well as posting your own questions. However, forums are not always the most trustworthy sources of information and you probably want more consistent and ongoing help.
The same website allows you to find lawyers in your area, with a variety of specializations, for a consultation, and you can also read their reviews from past clients. There are likely several websites like this one out there, just make sure the site-and the lawyer-you choose is credible.
There are also lawyer referral services available if you'd rather deal with the whole process in person.