Medical records contain sensitive and confidential information about an individual’s health. And, as such, keeping these records private, safe, and secure remains a critical responsibility. That’s exactly why the HIPAA law was created, and why it remains so important to this day.
So, what’s it all about?
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to regulate the use and disclosure of Protected Health Information (PHI) by healthcare providers, health plans, and other entities that handle medical records.
HIPAA law is essential in safeguarding the privacy of patients and ensuring their medical information remains confidential.
Let’s take a closer look at some of the specifics, and what you need to know about your rights and responsibilities.
Related Article: Public Health Groups Sue OSHA Over Recordkeeping Requirements
Here’s Why the HIPAA Law Is Important
HIPAA law ensures medical records remain confidential by requiring covered entities to implement safeguards to protect PHI.
Such covered entities include healthcare providers, health plans, and healthcare clearinghouses, among others.
Further, HIPAA law outlines specific requirements these entities must follow to ensure the confidentiality, integrity, and availability of PHI.
Some of these requirements include:
- Privacy Rule: This rule establishes national standards for protecting the privacy of PHI. It outlines how PHI can be used, disclosed, and accessed by covered entities and their business associates.
- Security Rule: This rule establishes national standards for protecting electronic PHI (ePHI). It requires covered entities to implement administrative, physical, and technical safeguards to protect ePHI from unauthorized access, disclosure, and destruction.
- Breach Notification Rule: This rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media, when there is a breach of unsecured PHI.
- Omnibus Rule: This rule strengthened HIPAA law by expanding the definition of business associates, increasing penalties for noncompliance, and providing individuals with additional rights regarding their PHI.
By following these rules, covered entities can ensure that medical records remain private, safe, and secure.
But in a recent development, a Southwest Baltimore medical facility exposed private patient records to the public.
So, are there any deterrent measures, or consequences, to prevent such an event from occurring again?
What Happens If You Don’t Follow HIPAA Law?
Failing to follow HIPAA law can result in severe consequences for covered entities.
Violations of HIPAA law can result in both civil and criminal penalties, depending on the severity of the violation.
Civil penalties can range from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for each identical violation. These penalties can be imposed by the HHS Office for Civil Rights (OCR) after an investigation of a HIPAA violation.
Criminal penalties can result in fines and imprisonment. Criminal penalties are enforced by the Department of Justice (DOJ), and can be imposed on individuals who knowingly obtain or disclose PHI without authorization.
Of course, the severity of the penalty depends on the nature and extent of the violation.
In addition to penalties, HIPAA violations can also result in reputational damage, loss of business, and legal fees.
A violation of HIPAA law can lead to a loss of trust between the patient and healthcare provider, which can be difficult to regain.
Patients may choose to seek care elsewhere, resulting in a loss of revenue for the healthcare provider. Legal fees can also quickly add up, especially if there is a lawsuit involved.
Click to read more about HIPAA violations and penalties. how to file a HIPAA violation complaint, or to learn about the most common HIPAA violations you should avoid.
How to Stay Compliant with HIPAA Guidelines
There’s no one-size-fits all approach to HIPAA compliance.
But, that said, a sample HIPAA compliance checklist can offer key elements you should consider before embarking on the journey to HIPAA compliance:
- Establish whether or not your organization is required to comply with HIPAA; and, if so, which rules apply to your organization’s operations.
- If required to comply with any Privacy Rules, appoint a Privacy Officer. If required to comply with any Security Rules, appoint a Security Officer.
- Understand what PHI is – and what it isn´t. Developing policies that restrict the flow of information can negatively impact healthcare operations.
- Conduct an audit to determine where PHI is created, received, stored, or transmitted, and how it is shared with Business Associates.
- Minimize the number of designated record sets in which PHI is maintained to simplify the management and protection of PHI.
- Be aware that the Security Rule consists of more than just the Administrative, Physical, and Technical Safeguards.
- Ensure measures are put in place for promptly notifying individuals and HHS´ Office for Civil Rights of data breaches.
- Determine whether or not your organization is exempted from reporting data breaches to the State Attorneys General.
- Make sure you have a way of finding out about changes to HIPAA and temporary Notices of Enforcement Discretion.
- If in doubt about your organization’s compliance obligations, seek professional advice from a HIPAA-compliance professional.
Bringing It Together
HIPAA law is crucial in protecting the privacy of patients and ensuring that medical records remain confidential.
Covered entities must follow specific requirements to ensure the confidentiality, integrity, and availability of PHI. Failing to follow HIPAA law can result in severe consequences, including civil and criminal penalties, reputational damage, loss of business, and legal fees.
And, at Worksite Medical, it’s an obligation we take seriously. We understand the importance of your employees’ privacy, and the crucial steps needed to keep their information safe and secure. We employ a wide range of cybersecurity measures to prevent unwanted attacks, and will never release sensitive information to unauthorized parties.
You and your employees deserve the utmost care and respect, and we’re honored to provide it.
About Worksite Medical
In most cases, OSHA requires medical surveillance testing, and at no cost to employees.
Worksite Medical makes that program easier with mobile medical testing.
We conduct on-site respirator fit tests, as well as audiometric exams, pulmonary function tests and heavy metal lab work, right on your job site. We also keep accurate, easy-to-access medical records for your convenience. You’ll keep your employees at work, and stay ahead of OSHA inspections.