The Health Insurance Portability and Accountability Act of 1996, also known by the acronym HIPAA, was created by Congress as a way to regulate the healthcare industry for a variety of purposes. These include, but are not limited to, increased access to health insurance, greater efficiency in the operational protocols of the industry itself and establishing a nationwide standard for the proper protection and safeguarding of medical health records. This last component, sometimes referred to as the Privacy Rule, plays a significant role in the way medical information is shared and handled and a violation under HIPAA can have serious impacts on caregivers and patients alike.
There is a substantial amount of HIPAA requirements that doctors, insurance companies, facilities and their subordinates and subsidiaries must abide by and failing to remain in compliance can put the patient’s privacy at risk and negatively impact the reputation of the offending medical professional. However, while most HIPAA requirements are well known and easily complied with, there are some lesser-known requirements that can stump even the most dedicated HIPAA compliant medical provider.
Here are a couple of little known requirements and the impact that they can have on the profession.
Disposal of Protected Information
Protected Health Information (PHI) is one of the most critical components of HIPAA. There are many requirements related to the corrected handling and disposal of this information. With the recent push to make all medical records electronic, HIPAA has put an emphasis on outlining how electronic protected health information is to be properly cared for, disseminated, and destroyed, yet many are not privy to the by-laws that cover the traditional paper versions that might still exist among any number of caregivers and providers. Though it may seem a matter of common sense, it’s not always evident to all that the disposal of public health information under HIPAA applies to all forms, electronic and paper alike.
Failing to properly dispose of PHI can result in that data being released to one or more parties who are not authorized to hold or view the contents. Doing so puts the patient’s privacy at risk by revealing his or her medical details to unknown individuals or groups. This is a violation of the HIPAA requirements and leaves that party open to lawsuits, it affects the reputation of the practice and its patients.
Business Associates Must Be in Compliance with HIPAA
Another lesser-known fact when it comes to HIPAA is the responsibility that Business Associates of Covered Entities have in maintaining compliance with the Act in all applicable areas. Simply put, any group doing business with an entity that is duty-bound to remain HIPAA compliant. They must also assume the same responsibility in the handling of any sensitive information that they may receive as a result of the relationship with that entity. There is a surprising amount of Business Associates who either don’t believe that they are beholden to, or aren’t even aware of, the HIPAA and its corresponding requirements.
In order to clear up some of that confusion, defining the term “Business Associate” may help to get these groups in compliance. Under the term, a business associate is any individual or group that handles or creates PHI in the typical operational function of their day to day activities in the service of a covered entity that is bound to comply with HIPAA. In essence, anyone who has some participation in the use or creation of protected health information, that person or organization must also comply.
This is important because it maintains the paper trail for the complete protection of the patient’s PHI and keeps that information from falling into the hands of individuals or groups who should not have access to that data. Any Business Associate that fails to follow the compliance mandate of the covered entities can be placed at risk for litigation on the part of the patient whose information has been disseminated either on purpose or by mistake.
Penalties
Penalties can vary and they can get very costly. Most violations are grouped into two categories, “willful neglect” and “did not know”. Fines can be as little as $100 and as high as $50,000 per violation. A maximum penalty of $1.5 million can be imposed alongside criminal charges that might come with a prison sentence depending on the severity of the violation(s). Fines will typically get higher depending on the number of patients affected and the extent of the neglect shown by the offending individual or organization.
A medical practice that outsources its calls to an answering service, should verify that the service maintains HIPAA compliance. In addition, maintenance of call logs should be expected as this will help add an additional layer of protection in the event of litigious actions.