To begin with, what does HIPAA stand for? It stands for the Health Insurance Portability and Accountability Act of 1996. This article is a comprehensive explanation of HIPAA law, who it applies to, and its violations.
What Is HIPAA Law?
HIPAA law was passed by Congress in 1996. The law was put in place to prevent the unauthorized disclosure of an individual’s Protected Health Information (PHI). The law also protects the privacy rights of people and minimizes national healthcare fraud and abuse.
Individuals and companies with access to PHI should implement the right policies and procedures for data security. All personal data pertaining to individuals should be protected in compliance with HIPAA.
What Information Does HIPAA Protect?
HIPAA as per federal law protects the following information:
- Medical test results and other information of the patient
- Records that are with the insurance providers
- Information on prescriptions
- Any information pertaining to bills for medical treatments
- Diagnosis and any other treatment information given in the medical records
Who Does HIPAA Apply To?
Companies defined as covered entities have to comply with HIPAA law. But first, what exactly are covered entities?
Covered entities include the following:
- Health care providers that hold medical records of people such as doctors, nurses, nursing homes, hospitals, psychologists, and dentists
- Insurance companies
- Programs for health care by the government
- Business associates such as lawyers, contractors, IT professionals, and billing company that need access to health insurance data
Apart from the HIPAA law, covered entities also have to follow The Privacy Rule which protects PHI, and The Security Rule which safeguards the confidentiality of the electronic Protected Health Information.
Who Is Exempt From HIPAA?
Most businesses are non-covered entities and do not have any obligation to follow HIPAA regulations. Even if such employers provide health insurance to their employees, they by no means have the obligation to protect the data of their employees. Instead, the responsibility of protecting employees’ data falls on the shoulders of health insurance companies.
Examples of non covered entities are:
- Most schools
- Municipal offices
- Law enforcement agencies
- Many state agencies
- Life insurers
- Employers who require access to employees’ medical records for the purpose of worker compensation claims
Although non-covered entities do not follow HIPAA law, they have to protect the confidentiality of employee health information under the US Privacy Act of 1974, the ADA, and state regulations.
What Is a HIPAA Violation?
A HIPAA violation is the failure to abide by the rules and standards of the HIPAA law. The infringement includes the following:
- Disclosure and unauthorized use of an individual’s Protected Health Information (PHI)
- Failure to provide administrative, physical, and technical protection to the PHI
- Inability to carry out a company-wide risk analysis to identify possible risks to the confidentiality, and integrity of PHI
- Delay in breach notifications
- Failure to make HIPAA compliant agreement with business associates
There are three ways to discover HIPAA infringements:
- Office for Civil Rights or state attorney general conducts an investigation into a data breach
- External parties conduct HIPAA compliance audit
- Investigation made into complaints of covered entities and business associates
Pro Tip: It is advisable that covered entities conduct a regular internal HIPAA audit. This is because it will help businesses identify potential breaches and violations and prevent hefty penalties. It is better to start off early as the longer the delay, the higher the penalty.
How to Report a HIPAA Violation?
In case you personally witness a HIPAA violation breach, you must report it to the OCR. anybody who is a witness to a beach has the right to report it.
One can file a complaint via email, fax, or mail. you can also file a complaint directly to the OCR Complaint Portal within 180 days of the breach being observed.
A covered entity must comply with HIPAA rules if a breach happens during the investigation. they should take corrective action or must pay the settlement amount.
HIPAA Violation Consequences
Once the HIPAA violation complaint has been filed, The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) carries out an investigation which includes performing compliance review, education, and outreach programs.
In the case of a non-compliance complaint, the OCR will demand corrective actions or voluntary compliance.
It is important to keep in mind that violations can also lead to criminal and civil charges if the complaint goes to the Department of Justice.
Breach Fines for Violating HIPAA Regulations
The Department of Justice is responsible for handling breach fines related to HIPAA violations. They divide the fine into two categories: reasonable cause and willful neglect.
- For reasonable cause, fines range from $100 to $500,000
- In case of willful neglect violations, penalties range from $10,000 to $50,000 and can also result in criminal charges
- Violations including fraud can result in a fine of $100,000 with up to 5 years of imprisonment
- Violations that includes selling or transferring private health information for purposes of causing harm, commercial advantage or personal gain result in a fine of $250,000 with up to 10 years of imprisonment
- If a willful neglect violation is not corrected in due time, the penalties can go up to $1.5 million per year.
Most Common HIPAA Violations
There are some common HIPAA violations that have been carried out by covered entities. In such cases, the violations have to be settled with the state attorneys general and Office for Civil Rights (OCR). How big or small the settlement amount depends on the following factors:
- The gravity of seriousness of the violation
- Duration of time for which the violation prevails
- Number of violations caught
- The financial position of the business associates and covered entities
Let’s have a look at the list of common HIPAA violations below:
- Accessing healthcare records of patients other than the reasons specified by the Privacy Rule. Examples such as treatment, healthcare operation, or payments, are an infringement of a patient’s private information.
- Employees snooping on health care information of friends, family, and co-workers when working in the same organization. As a consequence either they are fired or have to face criminal charges.
Although it is uncommon to have health care providers failing to prevent snooping on patients’ healthcare information, it is still possible. Here is an example of the University of California Los Angeles Health System.
University of California Los Angeles Health System paid $865,000 a fine for failing to prevent access to medical records. A doctor was investigated for exposing the health records of some celebrities and patients without authorization.
Failure to Carry Out Company-Wide Risks Analysis
The failure to conduct a risk analysis in an organization leaves employers uninformed about the risk at which the employees’ health records are. Employers remain unaware as to how vulnerable is the confidentiality and integrity of Protected Health Information.
Failure to perform a risk analysis requires covered entities to pay HIPAA settlement charges. For instance, in 2013 Oregon Health & Science University paid $2.7 million to OCR for failing to carry out organization-wide risk analysis. Similarly, Lahey hospital and medical Center paid $850,000 for not being able to carry out a risk assessment and other HIPAA violations.
Inability to Manage Risk Management Process
Carrying out an organization-wide risk assessment is essential but not sufficient. Apart from identifying risks, there should also be mechanisms to manage them. Once identified, risks should be addressed as quickly as possible. However, many covered entities fail to do so, making it one of the most common HIPAA violations
Just like there is a settlement amount for not carrying out a risk assessment, there is one for this also. Covered entities that don’t address risks have to pay a settlement amount to OCR. For instance, the University of Massachusetts Amherst paid $650,000 a penalty for risk management failure.
Denying Access to Patients of Their Health Records
Another very common HIPAA violation is to deny patients access to their own medical records. According to the HIPAA Privacy Rule, patients have the right to their own medical records and copies of them. They may want access for multiple reasons such as checking for errors or sharing them with others such as doctors or family.
If an entity fails to provide access to medical records within 30 days of the requestor’s, overcharges for the copies of health records, it will have to pay a penalty for it.
If a patient’s healthcare information is given to unauthorized individuals without the patient’s consent, it will be a HIPAA violation. Therefore, it is better to obtain authorization from the patient. It is important to note that the patient or their representative sign the authorization form.
This point is similar to the last one but with a little twist. Even if the patient has provided authorization to disclose information to a third party, it is important to note what information has the patient given consent for. It is important to ensure that only the information on the authorization form should be shared with the third party. Any other information not on the form should remain confidential.
It is a HIPAA requirement to ensure that all devices having access to personal information are secure. This is a common HIPAA violation by healthcare workers who download ePHI on insecure portable devices and suffer the consequences later.
HIPAA Violation and COVID Vaccination
Given the pandemic, it is natural to wonder if asking about someone’s vaccination status is a HIPAA violation.
Well, asking for a vaccination status is not a HIPAA violation as no personal health information is out in the open.
When non-covered entities such as friends and family ask you about your vaccination status, it is not a HIPAA violation as you can disclose this information yourself.
Another important point is that certain businesses such as airlines, schools, and some companies may ask you for your vaccination status. It is important for them to know before they let you inside their facility and will not come under a HIPAA violation. However, it is up to you to disclose that piece of information or not.
Similarly, employers may ask their employees about their vaccination status or its proof for security purposes. Schools, colleges, and universities may also ask for vaccination proof before admitting students. This again cannot be termed a HIPAA violation.
Now, the question is what really is a HIPAA violation when considering COVID vaccination status.
If a covered entity discloses your vaccination status to anyone without your consent, it would be a HIPAA violation. For example, a doctor should not disclose their patient’s vaccination status to their employer without consent.
If a doctor discloses the vaccination status of their celebrity patient to the media without written authorization, it will be a HIPAA violation.
If a media website publishes the same information, it will not be a HIPAA violation because the website is not a covered entity.
The key takeaway is that HIPAA laws do not prevent anyone from asking about your vaccination status. People can and will ask given the risky and uncertain times we are living in. It is however at your discretion to disclose that information or not.
HIPAA: Best Practices
As a covered entity or a business associate of a covered entity, you should be aware of HIPAA standards. Besides, you should introduce guidelines for best practices to ensure the privacy and protection of healthcare data in our organization.
Below is a checklist of dos and don’ts that will help you comply with HIPAA regulations.
Do’s
- Make employees aware of the HIPAA regulations on PHI usage and disclosure
- Develop a set of HIPAA policies and procedures and make it accessible for all employees
- Create a new role of Privacy officer in HR and make them responsible for processing complaints and providing information on data security procedures
- Carry out a company-wide risk assessment to discover any potential violations
- Train employees on a regular basis and ensure they stay updated on current HIPAA policies and procedures
Don’ts
- Sharing login credentials
- Leaving important documents unattended
- Accessing records of patients without an important reason
- Disposing PHI documents in general waste
- Sharing PHI on social media
The Final Word
Whether you are a hospital or a business, as long as you are a covered entity you have to abide by all the laws and regulations imposed by HIPAA. Make it a practice to perform regular checks on data protection policies so you don’t have to pay hefty penalties and fines.