HIPAA. We've all heard the term. Every time we go to the doctor's office, there seems to be another form to fill out that is a "HIPAA requirement." To most of us, most of the time, HIPAA is just a pain in the butt. Is there any good reason for all this regulation? You bet there is.
Prior to 1996, health care information often fell into the hands of people and organizations that would use it against an individual. Sometimes this misuse had severe impact on a person's employment, or their ability to make major purchases such as a house or car. In some cases, the information was used to deny or cancel insurance policies. While the use of accessed health care information was generally not illegal, it was nearly always unethical. This invasive use of our private health information is what prompted the Federal government to enact HIPAA.
The Health Insurance Portability and Accountability Act of 1996 protects your health information by limiting who can see it and what they can do with it. It covers protected health information (PHI) about you that relates to your physical or mental health or condition, your health care, and the payments you make to obtain that care. And it covers information in all forms: medical records, conversations with your doctor, and information about you that is stored in your health insurance provider's computers. Organizations and individuals that divulge PHI, whether intentional or by accident, can be fined up to $50,000 per event, and individuals (maybe your employees) who sell, transfer or use PHI for commercial advantage, personal gain or malicious harm can be subject to fines of up to $250,000 and imprisonment for up to 10 years. These strict penalties drive home the point that organizations must protect themselves from HIPAA violations by ensuring compliance with required standards.
What can your organization do to comply with the HIPAA rules? The American Medical Association (AMA) offers these four tips: First, know your compliance requirements. Whether you are a health care provider or a health insurance plan, HHS's Health Information Privacy website at www.hhs.gov/ocr/privacy/index.html has good information that will help you get familiar with the HIPAA Administrative Simplification Statute and Rules. Second, prioritize your compliance activities. A thorough risk assessment of your organization's policies, practices, and technologies will reveal how prepared you are to handle PHI according to the rules contained within the HIPAA statute. Train your employees to identify and properly handle PHI. Third, ask the right questions. Do we create, maintain, process or transport PHI? Are vendors and subcontractors meeting HIPAA requirements? What support services are available? And fourth, choose and use consultants wisely. Get an assessment from a security expert who knows HIPAA requirements, offers a comprehensive security assessment of your whole organization, and will provide a detailed report of their findings.
Assessing your organization's compliance and training your employees carries a cost, but it's a small price to pay compared to the loss of reputation, fines and possible jail time for HIPAA violations. Protect your organization's health by safeguarding personal health information.