The Health Insurance Portability and Accountability Act (HIPAA) is a law that creates limits on how personal health information (PHI) is used, shared, and discussed. The law protects patients’ personal data by creating clear guidelines for covered entities. If you aren’t sure whether your business falls under HIPAA guidelines, or you’re looking for more information on HIPAA in general, we have everything you need to know here.
What is HIPAA Compliance?
If your business is a HIPAA-covered entity, you need to develop a comprehensive strategy that ensures your company is HIPAA compliant at all times. This means creating a written policy that details the rules and regulations your employees need to follow. This includes safeguards that are in place, steps employees should take to maximize compliance, and more. Legally, every employee needs to receive a copy of the privacy policy to review, sign, and acknowledge. This way, if you run into HIPAA violations later down the line, you can prove that you took the proper precautions as a HIPAA-covered business.
Who Does HIPAA Compliance Apply to?
HIPAA compliance applies to all employees and business associates of covered entities. Both employees and business associates should receive a copy of the privacy policy at the time of employment or partnership. If you don’t provide them with this, you run the risk of facing serious legal consequences if a HIPAA violation happens at your practice. You should cover all your bases with an in-depth policy and ensure that you’re taking note of your employees and encouraging people to report anything that may be a violation of HIPAA.
What Happens When an Employee Violates HIPAA Protocols?
The longer your business is active, the more likely it is that you’ll have a HIPAA violation at some point. Rather than dismissing the possibility of receiving a violation, it’s a good idea to be prepared for any circumstance that might come your way. There are a few different scenarios for why an employee might violate HIPAA and how it will be handled.
Accidental Violation
We all know accidents happen, so it’s sound to believe that a HIPAA rule could be violated unknowingly. The measures that are taken after an accidental violation, however, depend on the circumstance. For instance, if HIPAA finds that your company did not properly distribute HIPAA guidelines to employees, the company itself is at fault. If employees have received and acknowledged a privacy policy, then there’s a chance no one is at fault. If there wasn’t malicious intent, the employee and company could simply end up with a warning. It’s important to note that outcomes are determined on a case-by-case basis.
Civil Penalties
If a violation is corrected within 30 days of notification of the violation, then no penalties will be applied. However, if the violation isn’t corrected, a person may face civil penalties. This type of penalty applies to a situation where the person was aware that HIPAA rules were being violated, or should have been aware. Civil penalties for HIPAA violations start at $100 per violation and can rise as high as $25,000 if the person has had multiple violations of the same kind.
Criminal Penalties
Criminal penalties can be extremely expensive and may even involve jail time. The minimum fine for this type of penalty is $50,000, while the maximum penalty is $250,000. In both instances, the individual would have knowingly violated a HIPAA law. If a violation occurs due to negligence, the individual can face up to 1 year in prison. If the individual seeks out sensitive health information under false pretenses, they will face a maximum term of 5 years in prison. Finally, if an individual knowingly violates HIPAA laws with malicious intent, they could face up to 10 years in prison. The bottom line is, the penalties for breaking HIPAA laws are serious. You don’t want your employees or your business in this situation, so it’s crucial that you provide the proper tools and education to avoid it at all costs.
Miscellaneous HIPAA Questions
We know that HIPAA rules are complex, so we’re exploring some common questions those working under HIPAA might have.
Is the Employee at Fault if They Break HIPAA Rules Due to Lack of Training?
If an employee doesn’t receive proper training and breaks a HIPAA law, the employer is at fault. All employers covered under HIPAA are required to provide training as is necessary for the employee to properly complete their job. You might be worried this could turn into a ‘he said, she said’ situation, but that’s not the case. HIPAA-covered entities are also required to document any and all training that is provided, when it occurred, who attended the training, and what information was discussed and distributed.
Who is at Fault for a Violation Caused by a Computer Error?
HIPAA requires covered entities to implement administrative and digital safeguards to prevent errors. Businesses are responsible for creating these protocols and ensuring their employees understand them. If the violation occurs because the company failed to implement proper safeguards, the employer is at fault. However, if the violation is due to operator error or failure to follow said protocols, the employee is at fault.
Invest in HIPAA-compliant Software
Meeting HIPAA compliance is part of running a successful healthcare practice. If you’re looking to upgrade your protocols and invest in tools that will improve your compliance, check out our web-based medical billing software. We offer free demos of our system to anyone who’s interested, so you can check out our capabilities at no cost! If you’d like to book a time to chat with a billing expert, contact us ASAP!