HIPAA compliance is essential for hospitals, physicians, chiropractors, dentists, ambulatory surgery centers, health plans, pharmacies and other healthcare service providers operating in the United States. An acronym for the "Health Insurance Portability and Accountability Act," HIPAA is federal legislation that became law in 1996 and requires that all healthcare practitioners who perform electronic billing (known as “covered entities”) to take certain measures that protect their patients' personal health information.
HIPAA also established that covered entities may contract with “business associates,” i.e. companies to help the covered entity perform specific functions authorized under the Privacy Rule that require access to ePHI, such as electronic billing, release of information, and supporting electronic medical record systems.
The legislation was eventually put into effect through different “Rules” that explain in specific details what a covered entity must accomplish in order to be considered compliant.
Complying with the Privacy Rule, Breach Notification Rule, and Security Rule is essential to protecting your healthcare organization from not only a fine for a HIPAA violation but from loss of reputation!
So, why should you comply with HIPAA? Well, for starters it's the law. As revealed on the HHS website for HIPAA Compliance & Enforcement, healthcare providers and other covered entities are often cited for violating HIPAA. In April 2017, the Metro Community Provider Network (MCPN), for instance, agreed to pay $400,000 as part of a settlement for an alleged lack of security management processes to safeguard patient records. In February 2017, Memorial Healthcare System (MHS) signed a settlement agreeing to pay a staggering $5.5 million for noncompliance with proper audit controls that led to illegal access to 80,000 records. In April 2017, CardioNet (a provider of mobile cardiac monitoring) signed a settlement recognizing that they failed to address known security issues related to their management of mobile devices. These are just a few examples of healthcare entities being hit with hefty fines for violating HIPAA.
Normally, most HIPAA violations result in civil penalties, such as fines and the implementation of a corrective action plan. In extreme cases, however, they can result in criminal penalties enforced by the U.S. Department of Justice. For example, if an individual at a covered entity or business associate knowingly discloses PHI for reasons of personal gain or to harm the patient in some way, that individual could face a criminal penalty of up to $250,000 as well as imprisonment up to ten years.
While these legal requirements and penalties are important to remember, HIPAA compliance is simply the right thing to do if you are providing healthcare services and handling some of the most sensitive information that individuals will ever share about themselves. They need to have confidence that your organization is protecting their information with the same level of care that you provide for their health and wellbeing. Violations of HIPAA will likely convey to patients that your organization is cavalier in handling their information and that they might be better served by going to other providers. This perception may even lead to lawsuits being filed by those patients.
As mentioned above, HIPAA allows covered entities to contract with a business associate. These companies are obligated to follow almost all of the same regulations under HIPAA as the covered entity. Before the company performs any HIPAA-covered activities on behalf of your organization, you must have them sign a “business associate agreement” which is a formal document explaining all of the company’s obligations under HIPAA.
Therefore, it is essential to choose your business associates wisely. Allowing a company with poor HIPAA compliance practices to access your organization's data is a recipe for disaster. If the company fails to implement its own security measures, your patients' PHI could be in jeopardy of inappropriate access, use, or disclosure. Not only can the company be fined by HHS, but your organization can be fined if it knew about the company’s failures and did not act to either help them correct the issues in a timely manner or to terminate the agreement with the company.
The simple answer is NO. There is no “certification” program provided by HHS or by any vendor in the healthcare marketplace. Also, be very wary of any vendor that says, “We are HIPAA compliant!” because, again, no one can provide such an assurance. Too often, those statements are made by salespeople with little or no understanding of the HIPAA Rules. Compliance with these complicated regulations require a serious effort and possibly some significant expenditures. It just depends upon what safeguards and practices are currently in place. It is never too late to tighten up your compliance efforts!