It’s no secret that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to protect the privacy of patients and their sensitive health information. However, understanding the importance of HIPAA compliance and the potential consequences of violations also can help protect the health care providers who care for them. With this in mind, we are pleased to share a recap of five key areas important for health care providers of all shapes and sizes.
1. The HIPAA Security Rule places an obligation on covered entities to assess and review their physical, electronic, and administrative security standards and procedures. While this assessment and periodic review are scalable to the resources of the health care provider, they are one of the first things that the Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS) considers when reviewing a security breach.
2. There remains some confusion on when and how to use a business associate contract and the liability of business associates under HIPAA. This confusion extends to contractors of business associates, commonly referred to as sub-business associates. OCR’s Final Rule in 2013 made clear that business associates are required to meet many of the same requirements as covered entities, including complying with the Security Rule.
3. Business associates should be entering into HIPAA-compliant sub-business associate agreements with their contractors and have provisions to monitor and enforce those agreements. Both the covered entity’s business associate agreement and the business associate’s sub-business associate agreement should require satisfactory assurances that any sub-business associate that uses, stores, or transmits protected health information will be required to sign a sub-business associate agreement and comply with HIPAA.
4. Violations of HIPAA Privacy and Security Rules carry risks of civil and criminal penalties. Civil penalties can exceed $50,000 per violation and result in up to a $1.5 million penalty per type per year. Criminal penalties, which apply if employees or other individuals obtain or disclose protected health information from a covered entity without authorization, are likewise steep with fines up to $250,000 and prison terms for knowing violations.
5. The HHS OCR enforces the HIPAA Privacy and Security Rules. OCR’s civil investigations have resulted in settlements or civil monetary penalties of $135,328,482.00 against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. In cases meriting criminal investigation for instances of knowing disclosure or obtaining protected health information violated by the Rules, OCR refers cases to the Department of Justice. As of July 31, 2021, OCR made 1,167 such referrals to the U.S. Department of Justice.
Even if the health care entity is a victim of hackers or cyber thieves, the repercussions can be severe if the entity failed to implement the security protections required by HIPAA Rules. Click here to read about one such case on the HHS website.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
