As of September 2018, the number of annual health data breaches has increased 70% over the past seven years. As these threats become more prevalent, it is important that any individual working in the healthcare sector understand the rules and regulations guarding Protected Health Information (PHI), the Health Insurance Portability and Accountability Act (HIPPA), as well as the actions that need to be taken and penalties assessed if a data breach does occur.
The HIPAA rules apply to health care providers, health plans and business associates. Health care providers experience the most data breaches; however, the largest share of records breached involve health plans.
A breach occurs when the privacy and/or security of PHI is compromised. The Centers for Medicare & Medicaid (CMS) defines PHI as any information that contains “common identifiers, such as name, address, birth date, and Social Security Number” and can be in electronic, paper or verbal form. This includes any past, present, or future physical or mental health conditions, provisions of health care and payments.
HIPPA enforces policies and procedures that covered entities and business associates must follow when developing plans to protect against a breach in PHI. Read our blog article "Protecting Your Practice Against HIPAA Violations" to learn more about the steps that can be taken to prevent these violations.
In the event your company discovers a data breach, the HIPAA Breach Notification Rule requires you to notify all affected individuals and the Department of Health and Human Services (HHS). Individuals must be notified, in writing, of the breach immediately. Alternatively, an email can be sent if the individual affected has opted in to receiving email communications from your organization. If your list of those affected by the breach contains outdated information for 10 or more contacts, a notice must be posted on your company's website or printed/broadcasted through a major media source. If the breach affects more than 500 residents within a state or jurisdiction, you are required to provide this information to the media regardless if the contact information is up-to-date.
Civil penalties imposed for HIPAA violations range from $100 per violation with an annual maximum of $25 thousand and a maximum $50 thousand per violation with an annual maximum of $1.5 million. Criminal penalties for HIPAA violations range from a minimum of $50 thousand in fines and imprisonment up to one year and a maximum of $250 thousand in fines and imprisonment up to ten years.
LW Consulting, Inc. experts are well-versed in the HIPAA rules and regulations. We can provide requisite HIPAA compliance training and policy and procedure development where HIPAA compliance gaps are identified. Our audits mirror the Office of Civil Rights (OCR) HIPAA Audit Program to detect and close the gaps in your compliance program.
Ask us about HIPAA compliance training or request more information on our audit processes.