“But, I didn’t know.”
It’s no excuse. Whether you’re five or fifty-five, you’ve often responded to an accusation with this sentence. Unfortunately, in the world of data protection, regulators don’t want to hear that phrase. You must know. When it comes to employee or customer healthcare information, accidents can bankrupt a company. Maintaining a corporate culture of security-first compliance to create a cyber aware workforce prepares and protects your practice or your enterprise from common HIPAA violations associated with employee actions - whether you’re in the healthcare field or not.
The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS), administered through the Office of Civil Rights (OCR), to adopt national standards for electronic healthcare information. Extended over the years, HIPAA now incorporates the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.
A short HIPAA summary is that these four rules establish strict guidelines for privacy and security controls over protected health information (PHI). Defined as “individually identifiable health information,” PHI or electronic PHI (ePHI) includes any demographic information, medical history, test or lab results, mental health information, insurance information or other data that identifies a client. However, to fully understand not only what HIPAA is but how it relates to your business, you need a brief overview of the Security Rule and Privacy Rule.
In short, the Security Rule creates a series of guidelines for making sure that you safeguard confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted. In other words, don’t let someone accidentally access the information or steal it no matter what it is or where it is. As part of this, you need to identify and protect against potential risks that lead to unintended uses or disclosures. Moreover, you need to make sure your employees do the same.
Although similar in nature, the HIPAA Privacy Rule focuses on a person’s right to control the use of their information. While you need to secure it, you also need to make sure that you’re not letting anyone have accidental access to it.
These sound similar, but there is are two important distinctions:
HIPAA applies to you as a “covered entity” if you’re a healthcare provider, health plan, or health care clearinghouse. The HIPAA law definition of “business entities” expands that to incorporate third parties who perform functions on behalf of covered entities that uses or discloses health information for them.
In other words, if you’re looking to expand a software or web application to enable any of the covered entities mentioned above, then you need to be compliant with HIPAA rules.
Although HIPAA violations arise in a variety of ways, they all incorporate “someone who shouldn’t know something who learns about it because there weren’t enough protections.” This definition includes everything from employees having too much system access, to a hacker gaining entrance to your system, to someone leaving a piece of paper on a desk or a screen open to view.
Under the Enforcement Rule, OCR can levy fines anywhere from $100 per violation (not exceeding $25,000 annually) to $50,000 per violation (not exceeding $1.5 million annually) for an accidental violation. The penalty minimums increase as you act more willfully when violating the law. In fact, if your actions are too egregious, the Department of Justice can fine you $250,000 and up to ten years in jail for a data compromise with an intent to sell, transfer or use the information for commercial advantage, personal gain, or malicious harm.
Even if you’re not a healthcare provider or business associate (third-party handling healthcare information on behalf of a healthcare provider), you may still be at risk. HIPAA law and employers have a tense relationship. Although employee medical privacy rights mostly fall under the Americans with Disabilities Act, some fall under HIPAA laws and regulations. Importantly a few HIPAA guidelines for employers exist.
Whatever you do, never call an employee’s health care service provider. Just don’t do it.
If you require medical exams as part of an employee health program or as a requirement for a job offer, keep medical information segregated from traditional employee records. This can be physical segregation or digital segregation (such as a different server).
If you’re using an Administrative Services Only (ASO) plan in which you as the employer pay benefits using your own company funds, then you need to be entirely HIPAA compliant.
If you’re getting more than summary information from the group health plan, it’s covered by HIPAA and needs protection. Make sure you review the documentation sent to your Human Resources Department and either create new practices or better define what information the group health plan should send you.
Both of these may be classified as hybrid entities wherein the provider transmits information for payment. As such, if you’re maintain records like these you need to lock them down to be compliant.
You may be over the moon that your employee is pregnant or devastated by a cancer diagnosis. However, unless your employee allows you to disclose, the announcement can be a HIPAA violation.
HIPAA violation stories abound. An emergency medical services worker posting on social media can be viewed as a violation. Businesses no longer operating and short-lived Snapchat or Instagram Stories posts offer additional potential HIPAA violation lawsuit examples.
HIPAA’s detailed control list and risk assessment requirements make your security-first approach difficult. You want to be transparent, but the rules sometimes prevent that. At Zeguro, we value transparency in the way we communicate with our customers, which can also be a guide to how you view medical data transparency: