Does your organization have a strategy in place to manage your HIPAA risk? HIPAA stands for the regulations promulgated by the Health Insurance Portability and Accountability Act of 1996. HIPAA imposes a range of requirements, but the provisions that are relevant to all subject entities pertain to the security and privacy of health-related information. Persons or entities should start by determining whether HIPAA applies to their entity. By understanding the HIPAA rules, it’s possible to identify your potential risk points and put a plan into place to help mitigate your exposure.
Who is Impacted by HIPAA?
There are two types of organizations that are subject to HIPAA: covered entities and business associates. Covered entities refers to healthcare organizations, including but not limited to healthcare providers, hospitals, employer-sponsored health plans, and pharmacies. Business associates is a category that refers to any person or business which provides services to or works with covered entities or other business associates. If you perform services on behalf of a covered entity or business associate that involves the use or disclosure of protected health information (PHI) and fall into categories such as service providers (for example, accountants), consultants, or technical support (like cloud storage), your business associate contract likely contains provisions that relate to HIPAA.
Common HIPAA Myths
There are some misconceptions about HIPAA Rules. HIPAA doesn’t prevent an employer from asking for a doctor’s note for an absence although this practice may create other exposures for employers. It also doesn’t impact your ability to request information needed to administer benefits programs such as healthcare coverage, workers’ compensation claims, or sick leave although employers should consider other risk factors around these types of requests.
Privacy and Personal Health Information
HIPAA defines protected health information (PHI) broadly. However, it typically includes demographic information, contact information such as name and address, and a social security number that relates to an individual’s past, present, or future health status. It also relates to payments made for the provision of health care. HIPAA specifically defines with whom protected health information can be shared. Primarily, covered entities and business associates can share PHI only with the person in question; for treatment, billing and health care operations; to decedents in the case of death; to a designated personal representative or in response to a court order. HIPAA Rules require that covered entities provide notice regarding privacy practices and how PHI may be used or shared. The law is very specific regarding what must be included, when information must be presented, and patients’ rights.
HIPAA and Electronic Security
HIPAA also places the responsibility on covered entities and their business associates to secure individual’s electronic protected health information. Organizations are expected to take the necessary steps to ensure privacy, protect against threats, ensure employee compliance, and protect against prohibited electronic uses or disclosures. HIPAA compliance is taken very seriously by the regulators, with enforcement and penalties ranging up to $50,000 per violation and the potential of enforcement action in egregious cases.
If your business works in the healthcare space or contractually works with a company that does, it’s important that you determine your HIPAA obligations and risk exposure. An experienced HR professional or business attorney can help you map your risks as well as develop and implement a plan to help stay in compliance.