The Health Insurance Portability and Accountability Act (“HIPAA”) was created for one specific reason – evolution of technology. Today, health care providers are using online clinical applications and electronic health records; also, health plans are offering online access to claims and care management. This evolution of technology, while incredible and appropriate, raises several security risks that could, if not appropriately addressed, lead to HIPAA penalties.

Health care providers and group health plans (“covered entities”) deal with highly sensitive and protected health information (“PHI”). The HIPAA privacy, security, and breach rules were adopted to make sure covered entities protect and safeguard PHI. Although employers/plan sponsors are not directly subject to the HIPAA rules; if the covered entity is a self-funded group health plan, complying with the myriad of HIPAA rules will likely fall on the plan sponsor.

If covered entities do not have the proper HIPAA policies and procedures in place, PHI can become vulnerable, which can lead to stiff penalties or even criminal charges. Covered entities are therefore required to implement appropriate administrative, technical, and physical safeguards for protecting PHI. This includes implementing audit, facility access and workstation security controls, managing access to PHI, adopting privacy, security and breach policies and procedures, and entering into business associate agreements.