The Department of Justice (“DOJ”) concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities, including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of corporate criminal liability. Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
How to be In Compliance and Avoid Penalties
Healthcare organizations should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. Such an assessment will examine the risks of a breach and provide recommendations on how to minimize risks.
Every health care organization should protect its sensitive data by doing the following:
Additionally, it is important that every organization engage in a full compliance review of policies, forms, and procedures on an annual basis with health care regulatory counsel to ensure HIPAA compliance.
All covered entities and business associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013. All covered entities must have documented policies and procedures regarding HIPAA compliance.
Additionally, HIPAA compliance requires staff privacy and security training on a regular basis.
As discussed above, HIPAA compliance is mandatory and fines for breach are hefty.
HIPAA regulatory counsel can help to ensure HIPAA compliance by reviewing, revising, and updating internal HIPAA policies and procedures, tailoring such policies and procedures to the specific health care entity.
At a minimum, to avoid HIPAA penalties, health care providers and business associates should:
How to Be HIPAA Compliant For Healthcare Providers
HIPAA Privacy And Security Rule Enactment
The Health Insurance and Accountability Act of 1996 (“HIPAA”) is a federal law that sets forth certain requirements to be followed by healthcare providers or “covered entities” with respect to safeguarding a patient’s privacy and security.
HIPAA helps ensure that all medical records, medical billing, and patient account information meet certain standards with regard to documentation, handling, and privacy.
In other words, it requires covered entities to protect the privacy of patient information, secure patient health information (physically and electronically), adhere to the minimum necessary standard for use and disclosure of patient health information, and specifies patients’ rights for access, use and disclosure of their health information.
The HIPAA Privacy Rule, 45 C.F.R. Parts 160-164, regulates the use and disclosure of Protected Health Information (“PHI”). Under HIPAA, a covered entity is not required to obtain consent or authorization to use or disclose PHI for treatment, payment, or health care operations.
While the HIPAA Privacy Rule does not require an individual’s consent or authorization for the use or disclosure of PHI for treatment, payment, or health care operations, Florida Statutes imposes a stricter standard for the use or disclosure of patient information, and requires a written authorization for disclosures other than for treatment purposes, except under certain enumerated circumstances.
The HIPAA Privacy Rule contains several key definitions, listed below:
Business Associate: A person, other than a member of the covered entity’s workforce, that, with respect to a covered entity, per-forms or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information.
Covered Entity: A health plan, a healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form in connection with a transaction subject to the privacy rule.
Protected Health Information (PHI): Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI is information related to a patient’s past, present, or future physical and/or mental health condition.
It includes, but is not limited to, the following information when it is maintained by a healthcare covered entity in order to conduct healthcare treatment, payment, or operations: name, address, birthdate, telephone number, email address, social security number, medical record number, account number, certificate/license number, and several other types of information collected and used by healthcare providers. PHI includes health information about individuals who have been deceased less than 50 years.
Minimum Necessary: When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the mini-mum necessary to accomplish the intended purpose of the use, disclosure, or request. The minimum necessary requirement does not apply to disclosures to a health care provider for treatment.
HIPAA’s Security Rule Standards
The HIPAA’s Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
While the Privacy Rule concerns those who can have access to PHI, the Security Rule’s focus is on ensuring that only those who are entitled to access electronic protected health information (ePHI) gain access to ePHI.
The HIPAA Security Rule applies to covered entities and business associates, as defined above. While the Privacy Rule protects the privacy of PHI, the Security Rule protects PHI that a covered entity creates, receives, maintains or transmits in electronic format.
The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Covered entities must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule, and must periodically review and update its documentation.
When hackers gain access to a provider’s IT system and obtain information from members such as names, medical IDs, Social Security Numbers, mailing and email addresses, that could potentially be considered a HIPAA breach as long as Protected Health Information (PHI) as defined by HIPAA and HITECH Security Rules is involved.
Any person who believes that a covered entity or business associate is not complying with HIPAA has the right to file a complaint with HHS. The complaint must name the provider who allegedly violated HIPAA and describe the acts or omissions that are believed to have violated HIPAA.
The statute of limitations time period for filing complaints is 180 days after the date when the complainant knew or should have known that the act or omission occurred, but this time limit can be waived for good cause.
If HHS accepts a complaint for investigation, it will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity will have the opportunity to present information about the incident described in the complaint. HHS has the authority to subpoena witnesses and documents as part of its investigation. The investigation may include a review of the covered entity’s policies, procedures, or practices.
In addition, HHS may conduct compliance reviews to determine whether a covered entity or business associate is complying with HIPAA. HHS may initiate these reviews when it becomes aware of possible violations of HIPAA by a covered entity.
What to Do In the Event of a HIPAA Breach?
Covered entities must provide a process for individuals to make complaints and document all such complaints. Additionally, covered entities may not take any retaliatory actions against anyone making a complaint.
If a breach of unsecured protected health information poses a risk of significant financial, reputational or other harm to the patient, business associates must promptly report the breach to covered entities, and covered entities must notify the patient without unreasonable delay, and no later than within 60 days under HIPAA, or 30 days under FIPA.
If the breach involves fewer than 500 persons, the covered entity must notify HHS by filing an electronic re-port no later than 60 days after the end of the calendar year.
If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the patient. The written notice to the patient must satisfy regulatory requirements.
Documenting proper actions will help you defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.
Breach Notification and Enforcement
The HIPAA Security Rule requires covered entities to notify individuals, the Secretary of the U.S. Department of Health and Human Services (“HHS”) under certain circumstances, and in some cases, the media, regarding breaches of unsecured protected health information. Once a covered entity discovers a breach of unsecured PHI, both Florida law and HIPAA require notification to the individual without unreasonable delay.
Under HIPAA’s Security Rule, the outside time limit for individual notification is 60 calendar days, while under the Florida Information Protection Act (“FIPA”), the outer time limit for notification is 30 days. As Florida’s law is more stringent, covered entities should be sure to comply with the shorter time frame specified in Florida statutes. Additionally, business associates are required to notify covered entities of a breach of unsecured PHI.
HHS and the Office for Civil Rights (“OCR”) are responsible for enforcing HIPAA’s Privacy and Security Rules. OCR enforces the Privacy and Security Rules by investigating complaints and conducting compliance reviews to determine if covered entities are in compliance.
Fines and Penalties
Failure to comply with HIPAA can result in civil and criminal penalties, as listed below:
(561) 228 - 5333