A quick glance at the HIPAA News Releases & Bulletins webpage reveals that violations regularly lead to multi-million-dollar settlements. HIPAA, the Health Insurance Portability and Accountability Act, includes a privacy rule that protects the privacy of individuals’ health information. Individually identifiable health information may not be used or disclosed except with written permission or for permitted purposes, such as treatment and payment. There are also rules guaranteeing an individual’s access to personal information and limits on the fees that may be charged for such access.
Failure to comply with the rules regulating protected health information can – and often does – result in penalties and lawsuits. This is true even if the privacy breach results from cybercrime, if the company has not taken steps to prevent those types of incidents. This is significant because the Ponemon Institute reports cybercrimes are now the leading cause of health information breaches. According to Healthcare IT News, this is big business. In fact, one Medicare number can sell for as much as $500 on the black market.
To ensure that regulations are being followed, the Office for Civil Rights has been conducting audits both of covered entities and of their business associates. The covered entities selected for audit received letters in July, and affected business associates should receive notice sometime this fall.
Who has to comply with HIPAA?
HIPAA applies to health plans, health care clearinghouses, health care providers and business associates. Business associates include any person or organization that deals with protected health information, such as for legal, administrative or consulting purposes.
Employers are not normally covered under HIPAA regulations. For example, employers who request a doctor’s note are not bound by HIPAA. However, employers who administer group health plans and associated wellness programs are covered by HIPAA. More information about HIPAA regulations relating to employer wellness programs can be found here.
What should organizations handling protected information do?
To prevent lawsuits and prepare for the possibility of an audit, organizations should take several steps.
- Know and observe HIPAA regulations. If you haven’t already, read up.
- Don’t forget about business associates. In order to ensure that business associates handle protected health information correctly, written safeguards must be included in the contract. A sample contract is available here.
- Train your employees. Good policies mean little if employees aren’t aware of them.
- Secure your information against theft and hacking. If protected health information is accessed by unauthorized individuals, the organization can be found responsible if proper safeguards were not in place. Physical information must be stored in secured areas, and electronic information must be protected against hackers. USA Today reports that 42.5 percent of data breaches in the last three years occurred within the health industry.
Even if you aren’t selected for audits this year, you still need to make sure your following HIPAA regulations. Don’t let yourself end up on HIPAA’s bulletin as the latest organization to pay millions of dollars for noncompliance.
Of course, HR compliance is challenging if you don’t have a cutting edge, secure and integrated benefits administration system. Could your processes use an upgrade? Ask us for a demo of the iTEDIUM product suite today.