(Part 3 in our series on IT Compliance Concerns.)
What is the Health Insurance Portability and Accountability (HIPAA) Act?
In the first two parts of this series, we discussed the Sarbanes-Oxley (Sarbox or SOX) Act and what it means in terms of Information Technology concerns. In this article, we’ll look into what the Health Insurance Portability and Accountability Act is, and what it means to your company.
Enacted in 1996, the main purpose of the Health Insurance Portability and Accountability Act (also known as HIPAA or the Kennedy-Kassebaum Act) is to make it easier for people to keep health insurance, maintain the confidentiality and security of their healthcare information, and to control healthcare administrative costs. Title I of HIPAA is concerned with protecting health insurance coverage of workers and their families when they change or lose their jobs; Title II requires the establishment of national standards for electronic health care transactions and the establishment of national identifiers for providers, health insurance plans, and employers. (Title II is also referred to as the Administrative Simplification, or AS, provisions.)
What company types are affected by HIPAA compliance?
Covered entities and their business associates are the entities primarily affected by HIPAA.
Under HIPAA, there are three types of covered entities: health care providers, health plans, and health care clearing houses.
● Examples of health care providers include hospitals, clinics, medical and dental practices, nursing homes, hospices, and pharmacies.
● Health plans can include HMOs and employee-sponsored health plans.
● Health care clearinghouses include entities that transmit claims or billing information.
Companies that provide services for covered entities and handle Protected Health Information (also known as Personal Health Information or PHI) can be considered business associates under HIPAA. While it is not always easy to determine if a company is considered a business associate, typical examples can include accounting firms, law firms, consultants, software vendors, ISPs, and cloud storage companies. If such a company works with covered entities, their contracts with those covered entities may require them to be compliant with HIPAA.
What are the penalties for failing to comply with HIPAA?
Penalties for covered entities include monetary fines of $1,000 per violation up to an annual maximum of $25,000. These fines are not the only concern; for criminal violations, the fines can be as high as $250,000 and may include up to ten years in prison. And while business associates cannot be prosecuted under HIPAA, they may still face certain penalties. A violation of a business agreement with a covered entity might lead to termination of contracts, and could lead to the risk of civil lawsuits filed by harmed individuals.
How does the HIPAA Privacy Rule work?
Covered entities and business associates are subject to the HIPAA Privacy Rule, which concerns the use and disclosure of PHI. Types of information covered by this rule include name, address, date of birth, Social Security number, any other information that can be used to identify a patient. It also includes information about: a patient’s past, present, or future health condition; the provision of health care to the patient; the past, present, or future payment for the provision of health care to a patient.
All of these requirements naturally mean challenges for your IT department. We will discuss these in the next part of our series on IT compliance concerns.)
Coming soon: Part 4 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About HIPAA Compliance?”
● How companies are (and are not) allowed to use PHI (Protected Health Information).
● Additional details concerning business associates and subcontractors.
Other posts in this series:
● Part 1: Making Sure Your Business is SOX Compliant
● Part 2: SOX Compliance and Your IT Team
Sign up today for free & stay current with local IT news.
X