You know all about HIPAA compliance. You would no more risk or countenance unauthorized disclosure of your protected electronic health information than you would knowingly commit medical malpractice. However, did you know there are five gray areas of HIPAA that could catch you out and subject you to huge penalties?
1. HIPAA doesn’t just affect the healthcare industry.
Yes, the HIPAA definition for so-called covered entities specifically includes doctors, clinics, psychologists, dentist, nursing homes, and pharmacies if they transmit electronic health information. However, just because an organization does not fall explicitly within the foregoing, HIPAA security rules come into effect, for example in the case of employee group health records at a non-medical organization.
2. Business Associates of covered entities can inherit HIPAA responsibilities.
A Business Associate would be an organization or individual working as a partner or subcontractor of a covered entity. If the Business Associate creates, takes custody of, maintains or transmits personal health information, there needs to be a Business Associate Agreement in place. Likewise the Business Associate must handle the personal health information in strict compliance with HIPAA–and is subject to federal audits.
3. Sometimes HIPAA allows personal health information to be made public.
The Department of Health and Human Services recognizes the potential usefulness of patient health information when the information is not individually identifiable. Covered entities can, under the HIPAA Privacy Rule publish health information not individually identifiable.
The foregoing “de-identification” process includes a formal determination by a qualified HIPAA expert. Alternatively, the covered entity could remove individual identifiers. However, there must be a reasonable certainty that the information could never be used alone with other information to identify the individual.
Once the foregoing occurs, the information is no longer considered personal health information, and HIPAA does not apply. HHS cautions that there is always a risk that de-identified data could be linked back to an individual.
4. So-called “addressable” HIPAA Safeguard Standards might appear optional; they are not.
Addressable security standards include maintaining the integrity, implementing authentication, ensuring transmission security integrity, and data encryption. Covered entities that regard addressable standards as totally flexible open the door to fines for noncompliance.
For example, if a data breach occurs as a result of not encrypting personal health information, the organization can expect a fine–even if it complied with risk assessment requirements.
5. HIPAA penalties vary from state to state and run the gamut from civil to criminal.
Under HIPAA, there are federal and state, civil and criminal penalties. On an upward sliding scale, depending on intent, degree of neglect, and how swiftly the organization took corrective action, minimum fines range from $100 to $50,000 per violation. Maximum penalties start at $25,000 and top out at $50,000 per violation, with an annual maximum of $1.5 million fine.
For a HIPAA infraction to become criminal, the person who committed it must have done so willingly. Criminal convictions under HIPAA can result in federal prison sentences of up to 10 years, depending on the person’s knowledge, actions, or malicious intent.
So if a covered entity is doing business in multiple states, coming to grips with varying HIPAA laws could be daunting. California has the most strict patient privacy laws in the nation. On the other hand, some states, including Alabama, New Mexico, and South Dakota, have no data breach laws on the books.
Don’t let the gray areas of HIPAA catch you out. If you’re looking for the best advice on information security compliance, or you just want to shore up your network security, contact us. Global Data Systems, Inc. is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (888) 849-6818 or send us an email at info@GDSConnect.com for more information.