HIPAA, the Health Insurance Portability and Accountability Act, has been a term of concern for the past few years for every healthcare provider and individual.  Congress enacted HIPPA in 1996 to ensure the efficiency and standardization of healthcare as well as to enhance access to healthcare. What most business owners do not know is that HIPAA affects everyone. HIPAA affects those within education, non-profits, private practices, major corporations and even the government.

This is why the HIPAA privacy rule was created. The HIPAA Privacy Rule prohibits the release of any protected medical information to a third party without the consent of the authorized individual’s valid signature.  Provisions of healthcare, the payment of the provisions of healthcare and a person’s future, present and past health condition(s) all fall under protected medical information. If a hospital or healthcare provider shares personal medical information an individual can sue due to the risk of healthcare and identity fraud.

If your healthcare provider is hosting data with a HIPAA compliant provider and deals with protected heath information (PHI)  it is law, according to the U.S. Department of Health and Human Services, for them to have specific technical and physical precautions in place.  Here is what you need to know about those precautions:

  • The aid in the prevention of security violations and to identify the source, tracking logs or audit reports must be applied.
  • Physical precautions include but are not limited to:
    • Reusing, removing and transferring all data that is electronically protected by PHI
    • Limited facility access with only approved access in place
    • Limited physical access to workstations and electronic data
  • Technical precautions include by are not limited to:
    • Authorized access only to databases with unique user IDs
    • Encryptions and decryptions
    • Automatic log-off
    • Emergency access processes in place
  • Employees should be trained on a regular basis on HIPAA compliance and regulations

When policies and procedures are not properly followed Attorney General’s Offices are now levying fines and they are not only going after large corporations.  A small private practice with two locations in New Hampshire and four in Massachusetts faced HIPAA’s first settlement for not having proper technical procedures and policies in place. There was a breach where nearly 2200 individuals’ PHI was stolen from one of the practice’s employees.  The resolution amount totaled $150,000 for the practice.

A small dental practice that hired a company to securely destroy old paper records of his former patients; however, the files were discovered in a dumpster behind a church.  The fine was $12,000 for illegally disposing the PHI belonging to the patients even though he hired a third party vendor and believed to have been following proper procedures.

Do not end up like either of these small businesses; reach out to your local IT provider today. They will be able to educate you on such risks and payments.

To find out more about how you are protected by HIPAA visit here.

Leave a Comment