Health Care Providers, Health Plans and Health Clearinghouses and certain of their subcontractors, known as ‘Business Associates’ who handle and electronically transmit patient information must stay in compliance with the regulations from The Health Insurance Portability and Accountability Act (HIPAA). Passed in 1996, HIPAA outlines the lawful handling and use of Protected Health Information (PHI) and falls under the purview of the Department of Health and Human Services (HHS). The agency that enforces the act is the Office for Civil Rights (OCR).
The HITECH Act of 2009 provides that the network of government offices concerned with Health Information Technology has been given the authority to establish programs presiding over a number of areas to improve health care, with the main enforcement arm of this body being HIPAA, which has been expanded and given more teeth with which to punish violators every year. In July of 2016 the OCR greatly stepped up its auditing program. As government agencies typically do, they smell money once they begin levying fines and generating payments.
Access to the complete set of HIPAA Administrative Simplification Regulations is available on the Health and Human Services website.
In our 19 year capacity as a Managed IT Services firm, and a renowned member of the IT Support Los Angeles Community, we at IT Support LA have assessed the Cybersecurity measures implemented by many businesses in the greater field of healthcare. We have rarely, if ever, found full compliance, but with our seasoned knowledge of HIPAA we have brought these medical networks’ security policies and procedures ‘up to code’.
Typically, the many medical networks whose Cybersecurity we have found woefully inadequate, were being watched over by garden variety, unqualified IT service ‘Guys’, who generally know a few IT support ‘tricks’ but little knowledge of HIPAA or any other government regulatory requirements – they just try to keep the computers running. Any medical practice should be under the care of a reputable, proven Managed Services Provider.
Every industry has its own range of compliances to deal with, but HIPAA is arguably the scariest and most severe, as it protects Americans in their most vulnerable state – using medical professionals to ensure their physical well-being. The possibility of civil lawsuits is ever-present, but the governmental penalties alone are substantial:
CIVIL MONETARY PENALTIES:
Tier | Penalty |
Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation. | $100 - $50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year. |
The HIPAA violation had a reasonable cause and was not due to willful neglect. | $1,000 - $50,000 for each violation, up to a maximum of $1.5 million for idential provisions during a calendar year. |
The HIPAA violation was due to willful neglect but the violation was corrected within the required period. | $10,000 - $50,000 for each violation, up to a maximum of $1.5 million for time identical provisions during a calendar year. |
The HIPAA violation was due to willful neglect but was not corrected. | $50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year. |
Fines for especially egregious violations were levied that have gone well beyond these penalty guidelines: University of Mississippi Medical Center: $2.75 million. Oregon Health & Science University: $2.7 million. Triple-S $3.5 Million. New York Presbyterian Hospital/Columbia University: $4.8 million (N.Y. Presbyterian hit again for $2.2 million 6 years later). CIGNET: $4.3 million. Advocate Health System: $5.55 million. Those that have paid $1.5 million and above are too numerous to list here.
CRIMINAL PENALTIES:
Tier | Penalty |
Unknowingly or with reasonable cause: | Up to one year. |
Under false pretenses: | Up to five years. |
For personal gain or malicious reasons: | Up to ten years. |
HIPAA Assessment & Compliance Q & A
Q: Can you sue someone for disclosing medical information?
A: Absolutely. Even if the offender is not a medical provider. If any person discloses private medical information, and the act meets the legal requirements, you can sue, but consult an attorney with the specifics for guidance. The unpleasant truth is that anyone can sue anyone for anything – whether the suit has merit is another thing entirely. As a Managed IT Services firm, IT Support LA has been called upon for our expertise as an expert witness in data breach litigations.
Q: Does HIPAA apply to everyone?
A: HIPAA only applies to ‘covered entities’ - Health Care Providers, Health Plans and Health Clearinghouses - and ‘business associates’ – anyone company who possesses and electronically transmits patient medical information for any reason. We at IT Support LA work with companies who have peripheral, vendor relationships to the healthcare industry. Even if the type of data they deal with does not meet the criteria or potential liabilities as a designated ‘business associate’, the Cybersecurity measures we put in place for any client more than meet HIPAA requirements.
Q: How often is HIPAA violated?
A: Amazingly often – and growing! According to HIPPA Journal, in 2018 healthcare data breaches occurred at the rate of about 1 per day. By the end of 2020, breaches were occurring at almost double that rate – an average of 1.76 per day. These numbers will undoubtedly continue to rise.
Every reputable Managed Services Provider in the country must remain vigilant as hackers continue to step up their attacks on the Cybersecurity measures which protect all facets of the healthcare industry.
Q: What are the three rules of HIPAA?
A: The three rules which cover every aspect of HIPAA are:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
The website emPower eLearning goes into detailed breakdowns of each rule HERE.
Q: What are the 4 main purposes of HIPAA?
A: The four stated primary objectives of the HIPAA legislation are:
- Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions.
- Reduce healthcare fraud and abuse.
- Enforce standards for health information.
- Guarantee security and privacy of health information.
Q: What do HIPAA laws protect?
A: As covered in the HHS/HIPAA main ‘Privacy Rule’, it protects “all individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”