As technology continues to evolve, patient privacy continues to be a major topic of concern. As a result, the Health Insurance Portability and Accountability Act (“HIPAA”) was passed by Congress in 1996 and was designed to promote the confidentiality of patient records and develop data security standards for consistency in the health care industry.
HIPAA applies to “PHI” (Protected Health Information). This is information that identifies who the health-related information belongs to, such as names, email addresses, phone numbers, medical record numbers, photos, and driver’s license numbers; in addition to appointments, a list of prescriptions, test results, and a list of doctors. Any of this information qualifies as PHI and needs to be protected per HIPAA.
The Administrative Simplification Standards under HIPAA apply to any of these entities, referred to as a “covered entity”, including:
- Health plans: Any individual or group plan (or combination) that provides or pays for the cost of medical care. Examples include health insurance issuers, HMOs, group health plans, Medicare and Medicaid associates.
- Health care clearinghouses: An entity that either processes or facilitates the translating of health information content or data format for another entity from non-standard to standard, or vice versa, from various organizations.
- Health care providers: Any person or organization who furnishes, bills, or is paid for health care in the normal course of business and conducts certain transactions in electronic form. This can apply to care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Ignoring the administrative, physical and technical HIPAA requirements is seen as “willful negligence”, and the penalties in these cases are severe. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which implemented stricter penalties for HIPAA violations and expands the organizations obligated to HIPAA regulations to include business associates of medical offices. Penalties can be as high as hundreds of thousands, or even millions, of dollars, and criminal penalties can potentially result in several years of jail time. Additionally, non-compliant organizations can suffer from negative publicity and also face losing customers and business partners. If you work in the medical industry, it is vital to understand and comply with HIPAA, because failing to properly maintain medical records and uphold data protection measures can truly devastate an individual’s personal and professional life.