What Does HIPAA Stand For?
A lot of entrepreneurs that plan to develop a healthcare app wonder what is HIPAA? HIPAA(Health Insurance Portability and Accountability Act) was designed to modernize the flow of healthcare information and protect personal data from fraud and theft. This act consists of 115 pages, so there’s a lot of things to discuss.
But, I’m going to explain HIPAA in simple words and focus on what it means for tech products.
Who is Mandated to Follow HIPAA Requirements?
HIPAA covered entities are individuals or companies that receive, transmit or update protected ePHI or EHRs. They can be divided into three main groups:
- Healthcare providers
- Health insurance companies
- Healthcare clearinghouses
It’s important to remember that business associates of the above entities also have to comply with HIPAA.
What’s the most important thing for entrepreneurs in these regulations? Violating the rules may lead to huge expenses. That happens because of the heavy fines specified in the act.
HIPAA Violation Fines
Before we get to such a terrific thing as penalties, we should first figure out the reasons for imposing penalties.
HIPAA violations happen when the obliged entity fails to comply with one or more HIPAA requirements. Violations can be intentional or unintended and are divided into 4 groups by the severity and impact.
- Tier 1: An unintentional HIPAA violation that the healthcare provider wasn’t aware of and so couldn’t avoid. Made a proper effort to comply with HIPAA regulations. The penalty is from $100 to $50,000 per violation with a maximum amount of fines of $1,500,000 annually.
- Tier 2: An unintentional HIPAA violation that the healthcare provider was informed of but couldn’t change things even with a proper amount of effort. The penalty is from $1,000 to $50,000 per violation, with a maximum amount of fines of $1,500,000 per year.
- Tier 3: An intentional violation that resulted from a “willful neglect” of HIPAA rules. The issue has been fixed in a period of 30 days after identifying the violation. The penalty is from $10,000 to $50,000 per violation with a maximum amount of fines of $1,500,000 annually.
- Tier 4: An intentional violation that resulted from a “willful neglect” of HIPAA rules. No attempts to fix the issue were made during the 30 days of identifying the violation. The penalty is $50,000 per violation, with a maximum amount of fines of $1,500,000 per year.
Has Anyone Been Fined?
To get a deeper understanding of the penalty system and types of violations, I will give some examples of fined companies.
- Korunda Medical, LLC. Korunda Medical failed to provide medical records to a third party on patient’s request. The point is, HIPAA requires covered entities to transfer personal information to any individual specified by the patient. Moreover, the provider charged more than it’s allowed under HIPAA. As a result, the company had to provide records in the requested format for free and was fined $85,000.
- West Georgia Ambulance. The investigation into the West Georgia Ambulance began in 2013, after the loss of an unencrypted laptop with personal information of over 500 individuals. This investigation detected a long-term HIPAA non-compliance that resulted in a fine of $65,000.
Failures That Lead to Non-Compliance
Let’s get through some frequent mistakes that can cost you a fortune while dealing with HIPAA.
- Incorrect disposal of the information. Whether you have digital information or something written on a piece of paper, make sure that after disposal, this data won’t fall into third party hands.
- Blind trust in your partners. Make sure your business associates are complying with HIPAA and fulfill the terms of your contract. Thus, you won’t get a stab in your back.
- Spreading the information around. Minimize the chance of accidental hearing of information. Train your employees to not spell the full name of patients and their health conditions in the presence of third persons.
- Handle the data storage. If you’re using hard drives for storing the ePHI and EHRs, make backups regularly. Actually, HIPAA compliant cloud storage has a number of advantages over the physical drives. The main reason is you don’t have to worry about backups and scaling. Instead of buying new drives, you can pay for extended cloud storage. On top of that, you don’t have to worry about the space for your server room.