Think you're having a bad day?
Whenever you need to pick yourself up and remember that it could be worse, look no further than October 15, 2018; that’s the day that healthcare giant Anthem was found to be in violation of the The Health Insurance Portability and Accountability Act, otherwise known as HIPAA.
On that day, due to a record-smashing HIPAA breach, the insurance giant was forced to pay $16 million in damages after the Protected Healthcare Information (PHI) of over 79 million US citizens was exposed. The unfortunate insurer also agreed to pay $115 million in class action lawsuits stemming from the 2015 data breach. Annnnd, they agreed to pay an additional $39.5 million in a multistate settlement.
Talk about a medically-induced pain in the backside.
Enacted in 1996, HIPAA was established to “improve the portability and accountability of health insurance coverage,” as well as to prevent ID theft, and to reduce waste and abuse. In the years since its inception, Congress has recognized that advances in electronic technology could erode the privacy of health information, so they added provisions to HIPAA designed to protect the privacy of PHI. Violating HIPAA can obviously result in heavy fines and loss of patient trust, so if this regulation applies to your organization, you really do not want to mess it up.
In its 25+ years, the Act has gone through many iterations. In its current form, HIPAA consists of four rules: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule.
1. The HIPAA Privacy Rule
The Privacy Rule was enacted to protect the privacy and safety of medical records of individuals and other personal health information. It limits disclosing PHI without authorization from the patient.
2. The HIPAA Security Rule
The Security Rule is the heart of the HIPAA Compliance framework. This rule addresses the administrative, technical, and physical safeguards a business must implement to protect individuals’ electronic PHI.
3. The HIPAA Breach Notification Rule
The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. Failure to follow the HIPAA breach notification rules risks significant state and federal financial penalties. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.
In a tie-in to this rule, the Federal Trade Commission (FTC) imposes its own breach notification provisions to vendors of personal health records.
4. The HIPAA Enforcement Rule
This rule imposes civil monetary penalties for violations of HIPAA. Civil penalties can be imposed of $50,000 or more per violation, and up to $1.5 million per year in the case of willful neglect.
As of September 30, 2021, the Office of Civil Rights, the government body tasked with overseeing HIPAA, has settled or imposed penalties in 101 cases and has investigated complaints against many different types of entities including: pharmacies, hospital chains, medical centers, group health plans, and independent practitioners.
The Health Information Technology for Economic and Clinical Health (HITECH) Act demands a periodic audit of Compliance with the HIPAA rules. A report from December 2020 with the results of the 2016-2017 audits found that “[b]oth covered entities and business associates failed to implement effective risk analysis and risk management activities to safeguard electronic PHI.” In addition, the HHS noted that upon learning of the data breach in its preliminary investigation of Anthem, there were signs that there had been potential violations of HIPAA that included the requirement to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to PHI held by Anthem.
If you look for guidelines on HIPAA Compliance, you’ll get more than you expected. One brief list is supplied by the OIG, which lists the seven fundamental elements of an effective HIPAA Compliance Program as follows:
1. Implementing written policies, procedures and standards of conduct.
2. Designating a Compliance officer and Compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking corrective action
The consequences of failing to comply with HIPAA are significant, even when reasonable efforts have been made to meet the rules. Like we said above, non-compliance comes with a hefty price tag and can result in a loss of reputation and customer trust.
Compliance automation is the key to meeting and maintaining compliance with HIPAA requirements. It is instrumental in enabling PHI-collecting organizations to drastically reduce the time invested in Compliance activities, it removes cross-organization dependencies, and is the cornerstone of a successful Compliance program that scales with your organization throughout its lifecycle.
HIPAA is complex, and the potential penalties can be huge (just ask anyone at Anthem!). With HIPAA Compliance automation, organizations can make it simple to stay on the right side of this vast and sprawling body of rules.