HIPAA applies to all healthcare providers and covered entities.
- HIPAA was divided into two rules; The Privacy Rule and the Security Rule
- The US Department of Health and Human Services will issue civil penalties for HIPAA violations.
- HIPAA defines a business associate as a person or company that provides services to a covered entity that involve the disclosure of PHI.
Who Does HIPAA Apply To?
The individuals and organizations who are required to follow HIPAA are considered “covered entities” (CDC). HIPAA applies to most employers and workers, since employers and workers associate themselves with these “covered entities.” HIPAA covers a company or a business that provides health plans or helps pay for a healthcare provider.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the sensitive medical information of a patient or person from being disclosed. HIPAA also prevents healthcare providers and businesses from working with those who seek to sell out private information. HIPAA is a federal law created by the US Department of Health and Human Services, so it is a law to be taken seriously.
The Two Rules of HIPPA
HIPAA was divided into two rules: The Standards for Privacy of Individuals Identifiable Health Information, which is the Privacy Rule, and the Security Standards for the Protection of Electronic Protected Health Information, which is the Security Rule.
Together, these rules define specific standards and requirements for organizations to follow for handling protected health information (PHI). Therefore, these rules protect patients’ health records as well as their personal information.
Not only do these rules protect the patient’s confidentiality, but HIPAA also protects the organizations that deal with protected health information. This is because they require safeguards to help prevent potential data leaks or other vulnerabilities that could put the company, its employees, and its patients at risk.
Is There Anyone That HIPAA Doesn’t Apply To?
According to the US Department of Health and Human Services, there are a few positions and organizations that do not have to follow HIPAA guidelines. These exemptions include:
- Life insurers
- Workers’ compensation carriers
*There is a special rule that applies to employers; we will discuss this in the section below.
Employers & HIPAA
HIPAA applies to most employers, since most of them provide some sort of healthcare program or plan. They cannot get information from one of the “covered entities.” However, HIPAA doesn’t apply to your employment records.
HIPAA doesn’t have control over an employer’s actions. For example, an employer can ask for a doctor’s note or other health information from a worker. However, a healthcare provider cannot share health information with an employer. For more details about employers and health information in the workplace, please read the Health Information Privacy website.
What Is Considered Protected Health Information?
Protected Health Information (PHI), also commonly referred to as personal health information, is any data that healthcare professionals collect to identify an individual and determine appropriate care. This could include information like:
- Demographic information
- Medical histories
- Test and laboratory results
- Mental health conditions
- Insurance information
What Are Personal Health Information Identifiers?
HIPAA lists 18 different information identifiers that, when paired with health information, become PHI. Some of these identifiers alone can allow an individual to be identified, contacted, or located. These 18 identifiers are:
- Phone number
- Fax number
- Email address
- Social security number
- Medical record number
- Health plan beneficiary
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URL
- IP address
- Biometrics ID
- Full-face photographs
- Identifying characteristics, like tattoos or piercings
The US Department of Health and Human Services will issue civil penalties for HIPAA violations. The Office of Civil Rights (OCR), a branch of the Health and Human Services Department, investigates complaints for potential HIPAA violations. There are four tiers of civil penalties based on the severity of the violation. These four tiers are as follows:
Tier 1 applies to individuals who did not know HIPAA rules were being violated. The minimum penalty is a $100 fine per violation with a maximum fine of $25,000 for repeated violations.
Tier 2 applies to violations with a reasonable cause. This entails a minimum fine of $1,000 per violation and up to a $100,000 for repeated violations.
Tier 3 applies to violations involving willful neglect of HIPAA Rules when the violation has been corrected within the required time period. The minimum fine per violation is $10,000. The maximum fine for repeated violations is $250,000.
Tier 4 applies to violations involving willful neglect of HIPAA Rules with no attempt to correct the violation. This violation would be considered the most severe, with a minimum penalty of $50,000 per violation and a cap of $1.5 million for repeated violations.
Accidental HIPAA Violation
Accidental violations of the HIPAA rules would most likely fall under the category of tier 1 violations. However, even if it was an accident, termination of your job may depend on how minor the violation was.
If at the time of the violation you were not aware of the mistake you were making, the violation was small, and the violation caused no harm, it will most likely be dealt with privately. This would mean that a verbal or written warning may be issued and your employer may require further training on HIPAA alignment. In this instance, it is not likely you will lose your job.
However, even if HIPAA Rules were unknowingly violated, termination is likely if the violation was serious. A violation like this will be reported, and if you are a healthcare provider, suspension or loss of your license is a possibility.
If the OCR feels as though there has been a potential criminal violation of the HIPAA Rules, they can refer the violation to the Department of Justice for review and/or an investigation. Criminal penalties for HIPAA violations are not very common, however they do happen. There are only three tiers for criminal violations. They are as follows:
Tier 1 applies to negligence or reasonable cause violations, resulting in a fine of up to $50,000 and up to one year in prison.
Tier 2 applies to false pretense violations that end up with a fine of up to $100,000 and up to five years in prison.
Tier 3 applies to violations caused by personal gain or malicious intent. A violation of this degree results in a fine of up to $250,000 and up to 10 years in prison.
What Is a HIPAA Business Associate?
HIPAA defines a business associate as a person or company that provides services to a covered entity that involve the disclosure of PHI. Businesses that would be considered business associates are:
- Software companies with access to PHI
- Companies in claims processing
- Companies in collections
Business associates are also required to follow all HIPAA rules, and if violated, they may receive the same penalties as listed above.
Who Are HIPAA Covered Entities?
Covered entities are defined in the HIPAA rules as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with Health & Human Services standards. Each of these categories would include multiple organizations or individuals. The covered entities are the following:
- Health Plans – This would be an individual or company that provides or pays for the cost of medical care. That includes health insurance companies and government-sponsored healthcare like Medicare.
- Healthcare Clearinghouses – These receive health information from another entity and process it into a standard data content. Examples of these are billing services and community health information systems.
- Healthcare Providers – This is any provider of medical or health services. These include clinics, pharmacies, doctors, nursing homes, dentists, etc.
HIPAA Violations – Who They Apply To and When
The Health Insurance Portability and Accountability Act is a U.S. law that helps “… protect sensitive health information from being disclosed without the patient’s consent or knowledge (CDC).” This is accomplished by the “HIPAA Privacy Rule” that was implemented by the U.S. Department of Health and Human Services, or HHS. The CDC outlines that the HIPAA Privacy Rule both helps to protect the information of individual patients, while also allowing the efficient flow of health information to maintain quality care. The Privacy Rule applies to certain individuals and organizations, which are classified as “covered entities.” This includes healthcare providers, health plans, healthcare clearinghouses, and business associates.
The HHS’s Office for Civil Rights (OCR) is the body that enforces these privacy and security guidelines. The American Medical Association outlines that the OCR enforces these Privacy and Security Rules by investigating any complaints filed, conducting alignment reviews of covered entities, and performing education and outreach to foster alignment with requirements. Failure to comply with HIPAA can result in severe consequences depending on the violation. If a HIPAA violation has occurred, penalties are decided based on the severity of the violation, whether the covered entity was aware of the issue, and if they took measures to correct the violation within the time window given by the HHS.
Civil violations for a HIPAA violation that is deemed as “Unknowing” can range from $100 – $50,000, with an annual maximum of $25,000 for repeat violations. HIPAA violation where the HHS believes the covered entity had “Reasonable Cause” to know about the issue can carry penalties of $1,000 – $50,000 per violation, with $100,000 being the annual maximum for repeat violations (AMA).
If the HHS finds there was intentional neglect but the issue is corrected within the required time period, penalties will range $10,000 – $50,000 per violation, with the annual max being $250,000 for repeat violations. If there was intentional neglect and the issue isn’t corrected in the required time period, penalties are the most severe. Fines will be $50,000 per violation, with an annual max of $1.5 million (AMA). Keep in mind that many HIPAA violations can also carry criminal penalties, including prison time. Maintaining security of this information is incredibly important for avoiding these penalties and protecting the personal information of patient health information.
Other rules exist within the HIPAA Privacy Rule, like the Security Rule. This rule protects any health information that is made, sent, stored, or generally kept in electronic form. This means that alignment with the Security Rule requires covered entities to do the following (CDC):
- Ensure security, integrity, and availability of all electronic health records
- Monitor and safeguard against any anticipated security threats to health information
- Protect against any unanticipated uses or disclosures of information without permission
- Certify alignment of all workers in the covered entity
While HIPAA may not apply to your employment records, it is reassuring that HIPAA prevents employers from acquiring health information from your healthcare providers or health plans. If any of these covered entities or associates violate one of HIPAA’s laws, they are subjected to fines and other consequences.
Our Safety Training
Here at Hard Hat Training, our goal is to make safety training courses engaging and affordable. Our HIPAA Safety Training course is available for purchase today.
Our training materials are updated whenever changes are made to the safety standards, enabling us to provide you with the most thorough and up-to-date training options for your employees.
Our course catalog presents our customer with over 200 training topics to choose from. Each of our courses are fully-narrated and organized with the goal to help the students understand and follow all the safety information they are learning. We offer many ways to accomplish safety training that are easy, affordable, and convenient.
For more information check out our related articles Is HIPAA Only Between a Doctor and a Patient? and What is an Example of a HIPAA Violation?