In a world where technology is expanding at a breathless pace, it is no wonder that the health care industry is taking advantage of digital solutions to better serve patients. As the demand for digitized health care has increased, laws that protect patient rights and privacy have grown and matured. And so, for a company that works in the health care space, or for any company that works with personal client information, effective data security technical solutions are critical.
Accenture’s 2018 Consumer Survey on Digital Health confirms that consumers are becoming increasingly dependent on technology and virtual assistance to meet their healthcare needs. The survey explored, for example, the perceived advantages of virtual versus in-person healthcare services. More than half of healthcare consumers believe virtual care reduces medical costs to patients. With virtual care, consumers also see advantages in accommodating patients’ schedules and providing timely care. And though consumers still believe the top advantage of in-person care is the quality of patient care, the report leaves no doubt that “Healthcare consumers are becoming more open to using intelligent technologies, sharing data and allowing a combination of man and machine to power a new model of healthcare.”
This increasing appetite for digitized health care spotlights the need for strong laws to protect patient rights and privacy. The US law governing the healthcare industry and connected 3rd parties is known as HIPAA. HIPAA law establishes national standards to protect individuals’ medical records and other personal health information, and compliance is mandatory.
As far back as the 1990s, it became apparent that the increasing use of computers and electronically transferred information required standards to preserve patient confidentiality. Early HIPAA aimed to establish those standards, with civil and criminal punishments facing those who failed compliance audits.
Does thinking about HIPAA compliance rules give you a headache?
In this context piece, we will try to simplify it for you a bit – and reinforce why the healthcare industry, and all industries handling personal data, need strong security technology solutions.
HIPAA is the Health Insurance Portability and Accountability Act. It codifies how healthcare providers and other business units must record, manage, store, and share a patient’s private or sensitive personal medical information. HIPAA was passed by Congress in 1996, and it was only applicable to “(CE) covered entities”, which principally included those involved in operating a healthcare facility, treating patients, or sending or receiving healthcare payments.
HIPAA contains four primary rules:
- HIPAA Privacy Rule – Deals with the use and disclosure of protected health information (PHI).
- HIPAA Security Rule – Addresses security needs for the electronic receipt, transmission, transfer, and storage of protected health information. Requiring data privacy solutions is the main goal of this rule.
- HIPAA Enforcement Rule – Specifies how compliance should be handled through investigations.
- HIPAA Breach Notification Rule – Discusses the need for alerting patients whose data/information had been lost or stolen or compromised in any way.
After 1996, there were several significant changes and additions to HIPAA, including a 2013 final Omnibus rule issued by Health and Human Services (HHS) in accordance with HITECH, the Health Information Technology for Economic and Clinical Health Act. The HITECH provisions strengthen the privacy and security protections for health information established under the original HIPAA Act. This was where HIPAA’s authority over health-tech companies came into focus.
Does HIPAA compliance apply to my company?
The Omnibus rule made significant changes to the requirements for health industry data privacy solutions. It extended accountability beyond those in the direct medical industry to “any business that works on behalf of or for covered entities (CEs)”. Such entities are called Business Associates. In general, a Business Associate is a person or organization that performs certain functions or activities that involve the use or disclosure of individually identifiable health information. Business associate functions include claims processing, data analysis, utilization review, and billing, as well as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. In other words, HIPAA applies to just about any service performed on behalf of a covered entity that involves the collection, use or disclosure of health information.
So, how do the HIPAA laws affect companies who work with or support the health care industry? For example, if your firm plans to develop a mobile application, must it be HIPAA compliant? If a consumer is using a wearable device (such as Fitbit or Runkeeper) to collect health data for their own personal use, HIPAA does not apply. (Remember that HIPAA regulations only apply to covered entities and business associates.) However, if your company wants to develop an app that records, stores, manages, or shares protected health information for/ with/ or on behalf of CEs, then HIPAA compliance is necessary! And if you think about it…doesn’t it make sense that any company, whether in the health care industry or not, should be concerned about protection of customer and employee personal information???
Legal Implications
The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
So, what if you violate HIPAA compliance?
If you are found guilty of violating HIPAA rules, you will pay—literally. Heavy penalties apply even if you violate the rules unintentionally. If you knowingly use, obtain, or disclose protected health information, criminal charges could be filed against you with a potential fine and 1 to 10 ten years imprisonment. Potential penalties and fines were updated in 2019, and include a tiered structure for violations starting from $25,000 for Tier 1.
Penalty Tiers Under Notification of Enforcement Discretion
| Culpability | Minimum penalty/violation | Maximum penalty/violation | Annual limit |
| No Knowledge | $100 | $50,000 | $25,000 |
| Reasonable Cause | 1,000 | 50,000 | 100,000 |
| Willful Neglect—Corrected | 10,000 | 50,000 | 250,000 |
| Willful Neglect—Not Corrected | 50,000 | 50,000 | 1,500,000 |
HIPAA laws and rules can change. Most recently, as a result of the COVID-19 emergency, HHS issued major changes to the enforcement of HIPAA compliance in 2020. These “unprecedented HIPAA flexibilities” are intended to ease the burden on healthcare organizations and business associates that are having to overcome major challenges testing and treating COVID-19 patients. According to HHS, these changes to HIPAA enforcement were introduced to ensure that HIPAA compliance does not get in the way of the provision of high-quality patient care.
Aside from the risk of fines or penalties for HIPAA violations, consider the other costs and reputational damage that accrues to any company that fails to protect personal consumer data. The bottom line is this: HIPAA laws and standards offer a model for security practices that should be present in almost any business managing sensitive data. Data privacy solutions are critical for companies to prosper in today’s digital-centric environment. The use of a combination of strong technology security mechanisms and business policies are a company’s best ways to guard against the business risk associated with mishandled personal data or data breaches.
Granted, staying HIPAA-level secure or PCI (Payment Card Industry) compliant becomes more and more complex as time goes by. But with data security services by Layer One Networks, you can get the protection, reliability, and consistency your company needs.
Layer One Networks is a Corpus Christi, TX based provider with expertise in helping companies manage data and authorized access with transmission encryptions, firewalls, authentications, passwords, and other cutting-edge data privacy solutions. We work as an extension of your in-house IT department. We believe in people-centric support, meaning we are there to support the technology needs of each person and not just the devices, services, or applications they may use. Your system and your customer data are safe with our data security services!
Share your feedback on the above post. For more such posts, stay connected.