Imagine the following scenario: you are a health care provider, and you transmit claims electronically. You work hard to ensure you comply with federal regulations, but one day, you are notified that you are under investigation for violating the terms of the Health Insurance Portability and Accountability Act (HIPAA). You are alarmed by this notification and wonder what you might have done wrong, and what steps you could have taken to avoid that mistake.
What is HIPAA?
HIPAA is a legislative act, passed in 1996 and governed by the Office of Civil Rights (OCR), which is responsible for enforcing its Privacy and Security Rules. The goal of HIPAA is to improve the portability and accountability of healthcare coverage for workers who are between jobs. HIPAA also aims to ensure that workers who have pre-existing health conditions can maintain health insurance coverage.
Also, HIPAA requires that healthcare organizations follow specific standards which reduce paperwork and make the administration of health insurance less complicated. This includes things like the sending and receipt of payments, verification of eligibility, and the streamlining of billing processes. One of HIPAA's objectives was to make sure that the transition from paper to electronic records was seamless and smooth.
What Happens If There is a Complaint?
As noted above, enforcement of HIPAA regulations is the purview of the Office of Civil Rights. OCR is tasked with investigating complaints, conducting compliance reviews, and educating healthcare providers to ensure compliance better.
If there is a complaint, OCR will gather all relevant information and determine whether a violation of the Privacy or Security rules has occurred. If OCR determines that there is noncompliance, it could require voluntary compliance, corrective action, or a resolution agreement. In some instances, entities which do not comply could be the subject of civil or criminal penalties In cases where there could be criminal penalties, OCR could refer the complaint to the Department of Justice (DOJ), which will then conduct further investigation.
How Do Civil Penalties Look?
Civil Penalties for HIPAA violations generally mean the imposition of a fine. The amount of the fine is based on the extent of the violation and how much harm it caused. Unless "willful neglect" is determined, civil penalties will not be imposed when violations are corrected within 30 days. Fines could be as small as $100, or as large as $50,000 (in cases of willful neglect).
What Criminal Penalties Could be Executed?
As noted, criminal penalties are the purview of the Department of Justice. Violators who are deemed to have "knowingly" disclosed someone's health information could receive a fine of up to $50,000 and up to one year of imprisonment. Those who commit violations "under pretenses" could be fined as much as $100,000 and be sentenced to as much as five years in prison. Finally, those who intended to sell or in other ways use private health information for commercial purposes receive the stiffest penalties: a fine of up to $250,000 and imprisonment of up to 10 years.
If your organization falls under the HIPAA privacy and security rules, contact Total Computer Solutions to set up a risk assessment and make sure your procedures are up to par.