What Is HIPAA Compliance?

In a nutshell, HIPAA compliance means that an organization is compliant with all of the US Department of Health and Human Services’ requirements.

HIPAA is a mandatory law that was passed in 1996. It ensures that more Americans will have better access to healthcare insurance and that they shouldn’t lose their insurance because of switching jobs. In addition, it allows the Department of Health and Human Services to have a distinct set of guidelines that will safeguard Protected Health Information. And now, the policies have been defined and expanded using the HIPAA Privacy Rule, HITECH Act, Security Rule, and several other expansions of the original law.

Protected Health Information And HIPAA

Protected Health Information refers to any private health data that has the potential to identify an individual that was used, created, or disclosed while providing any healthcare service — either treatment or diagnosis. It covers:

• Healthcare services provided to a patient/individual
• An individual’s past, present, or future physical health and condition
• Past, present, or future payment for any healthcare service provided to a patient/individual

PHI is any information that can be viewed in medical records. It’s also the conversations between healthcare providers, i.e., doctors and nurses, regarding the patient’s treatment plan. As a rule of thumb, it will automatically be considered PHI if it’s information that the patient can recognize. It can also be classified as PHI if it has been discovered or used while providing healthcare services.

As a whole, HIPAA has already provided 18 PHI identifiers to help medical professionals be more careful when dealing with sensitive data.

What Are The HIPAA Guidelines?

To make it easier, here are the basics of HIPAA compliance that you need to know. The following steps will help you on your HIPAA compliance journey:

1. Choose a privacy officer who will overlook the implementation of HIPAA compliance
2. Make sure to know HIPAA’s core rules and require mandates by heart
3. Accomplish the Annual Security Riks Analysis and Management before anything else
4. Properly adopt and implement Privacy Policies and Security Procedures
5. Breach Preparation
6. Ongoing training
7. Consistently enact proper and accurate business associate agreements together with other collaborations

How Much Will It Cost To Violate HIPAA?

If you’re wondering how much it costs to violate HIPAA, it typically ranges from $100 to a whopping $1.5 million, depending on the severity. And to guide you, HIPAA has a four-tiered system based on the level of negligence that resulted in a breach.

First Tier

The first tier covers whenever the entity did not and could not have reasonably known that there has been a breach. First tier violations cost from $100 to $50,000 per violation and can go up to $25,000 per year.

Second Tier

This level means that the entity already knew that they committed a HIPAA violation. However, they did not do so with willful neglect. Second tier violations cost from $1,000 to $50,000 and can go up to $100,000 per year.

Third Tier

The third tier is whenever the entity completely acted with willful neglect but made sure to correct the issue within a 30-day period. The penalty costs from $10,000 to $50,000 per accident and $250,000 for each year.

Fourth Tier

For the last tier, the entity acted with willful neglect and did nothing to correct the issue within a 30-day period. The fine begins at $50,000 per incident and costs $1.5 million per year.

Who Should Be HIPAA-Compliant?

Under the HIPAA law, two types of entities are responsible for PHI: Business Associates and Covered Entities.

Covered Entity

HIPAA defines a covered entity as anyone who collected, transmitted, or created Protected Health Information during treatment, operations, and payment upon providing healthcare services.

And almost all covered entities are healthcare groups that have direct contact with individuals/patients. Some of the most commonly covered entities are doctors, clinics, and hospitals. However, insurance companies and health plan providers may also be considered covered entities.

Business Associate

A business associate is an individual or organization that performs activities or works on behalf of a covered entity. And more often than not, it involves the disclosure of PHI.

With the complexities that come with modern healthcare, PHI is often found in places outside the hospital or doctor’s office. And with modern healthcare’s colossal size, countless entities can be classified as business associates. Examples include billing companies, EHR platforms, law firms, email hosting services, cloud, and physical storage providers, and practice management firms.

And even though patients don’t come in contact with business associates, they still have access to some of their PHI. And one of the HIPAA requirements is for business associates’ subcontractors with access to PHI should be HIPAA compliant.

Conclusion

Don’t worry; you’re not the only one who finds the HIPAA regulations complicated. However, you’ll surely master it by heart the more you read into it. Remember: the best healthcare providers and subcontractors should always oblige to HIPAA’s rules and regulations.