Some businesses are unsure how to handle privacy compliance in regards to HIPAA regulations.
The Health Insurance Portability and Accountability Act of 1996 has created more work for businesses in that they have to spend endless hours researching HIPAA regulations, training employees, rewriting contracts, internal documents, patient forms and policy and procedure manuals. If office administrators, practice managers or physicians are unsure how to handle privacy compliance, then there could be consequences which can include hefty fines.
The types of business entities that are affected by the law include, health plans, health care clearing houses, and those health care providers who conduct financial and administrative transactions (e.g., electronic billing and funds transfers) electronically. In order to ensure the security of personal health information, there needs to be privacy safeguard standards in place.
Entities may have the flexibility to design their own policies and procedures to meet regulatory standards. The requirements are flexible and scalable to account for the nature of each entity’s business, and its size and resources. Covered entities generally will have to:
- Adopt written privacy procedures. These include who has access to protected information, how it will be used within the entity, and when the information may be disclosed. Covered entities will also need to take steps to ensure that their business associates protect the privacy of health information.
- Train employees and designate a privacy officer. Entities will need to train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed.
There are specific boundaries to keep in mind, and with some help businesses can learn to comply. For example, there must be accountability for the use and release of medical records, and companies need to ensure that health information is not used for non-health purposes. Penalties for entities that misuse personal health information include:
- Civil penalties. Civil penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
- Federal criminal penalties. Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under “false pretenses”; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.