One of the most personal types of data is medical information. And when it comes to protecting this information, the government doesnâ€™t give anyone wiggle room to make excuses.
Armed with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has settled millions of dollars against violators.
The financial impact of HIPAA violations is especially burdensome on small businesses. This is why small firms have to take increased precaution to ensure they are not violating any HIPPA regulations. Whether youâ€™re providing healthcare directly or support services, you are equally liable under HIPAA.
In a press release announcing the recent large settlement associated with health data breaches, Elliot Dinkin, a nationally known expert in actuarial, compensation and employee benefits issues, explained the liabilities.
Dinkin says the OCR is serious about penalizing any HIPAA violations. But the OCR is not the only agency, states also go after violators, which adds to the final levy imposed by regulators.
Dinkin warns, â€śGiven the recent tendency on the part of HHS toward active enforcement, we strongly urge business associates and covered entities to review their current agreements with an expert in the field to make certain they are in compliance with HIPAA.â€ť
Exposure to Risk
The exposure to risk applies to anyone in the value chain of providers in the healthcare segment. Support service providers are especially susceptible if they donâ€™t have the right protocols in place.
Small businesses which disclose personal health information (PHI) are liable. And donâ€™t think the OCR wonâ€™t go after you because your company is small.
In 2016 the OCR announced it was no longer going only after breaches involving the personal health information of 500 or more individuals. With this announcement, regional OCR offices will go after cases with less than 500 people.
In addition to those offering direct services the U.S. Department of Health & Human Services (HHS) also requires the same from others who have access to health information. The HHS calls contractors, subcontractors, and other outside persons and companies â€śbusiness associates.â€ť
These associates include:
- Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
- Companies that help administer health plans
- People like outside lawyers, accountants, and IT specialists
- Companies that store or destroy medical records
HIPPA Violation Penalties
In 2018 the OCR had a record year for HIPAA enforcement. This amounted to $28.7 million, which is more than $5M from the previous record set in 2016. The year also brought the largest single fine against Anthem, Inc. for $16M.
But the violations are not always big. The penalties for non-compliance can go anywhere from $100 to $50,000 per violation/record. This maxes out at $1.5M per year if the violation is of the same provision. Based on the number of patients/records and neglect by the violator, the fines can increase.
In addition to financial penalties, criminal charges can also result in jail time.
If your small business is in the healthcare industry and you are not sure if youâ€™re liable for any of the HIPAA regulation, consult with an expert.