“What is HIPAA?” is one of the most common questions from business owners. It’s a simple question with a complicated answer, but to keep you from getting lost in the shuffle – or worse, away from your HIPAA compliant health information – we are providing a quick explanation of the basics of HIPAA as well as its relevance to your personal health and business operations.
“HIPAA” is a short acronym for Health Insurance Portability and Accountability Act of 1996, also known as the HIPAA Privacy Rule. The Act was enacted by the 4th United States Congress (acts are numbered with the calendar year) and was established to assure private health care providers and private health insurance buyers that their sensitive information is protected. The Privacy Rule establishes basic guidelines that must be followed by both parties involved in the exchange of health care information, namely health care providers and private health insurance buyers. One of those basic guidelines is that protected information must be protected using secure encryption and private transmission.
The Security Rule is just one of many provisions in the HIPAA Privacy Rule that ensures private health care information from unauthorized disclosures. The other major components of the HIPAA Privacy Rule include: an opt-in process for patients to request privacy notices; a process for promptly responding to any requests for such notices; , and a guarantee that providers may be disciplined, penalty-free, or otherwise assessed in the case of unauthorized disclosure of patient information. The Security Rule does not apply directly to health care providers, but those health care providers who do business with individuals who have opted out of the Health Insurance Portability and Accountability Act (HIPAA) can be held liable for certain civil actions by those who have “opt out” themselves. In addition, the Security Rule does not apply directly to health information about self-funded HMOs, PPOs, and other “fee for service” plans, and commercial health information is not protected under the Security Rule.
What is HIPAA privacy?
According to the Privacy Rule, when a person gives express authorization for a covered entity or self-employed person to disclose certain personal health information, that person must protect that personal health information private at all times. How is this accomplished? The Privacy Rule requires protected health information be protected using secure encryption and private transmission. It further requires that the identity of the person who authorized the disclosure of the private health information remain confidential and cannot be used against the individual. This ensures that the identities of those who give express authorization for a covered entity or self-employed person to disclose personal health information remain confidential.
What are the safeguards in place to help ensure that this HIPAA compliance rule is properly enforced?
The Security Rule explicitly provides penalties for those businesses and self-employed professionals who fail to take reasonable steps to protect personal health information. Accordingly, covered entities and business associates are strongly advised to learn about and comply with all applicable National Security Agency (NSA) standards related to HIPAA. In addition, the NSA also regularly publishes a list of standards that it regards as the most important security safeguards in place under the HIPAA Privacy Rule.
What are the penalties for failing to comply with the privacy rule?
HIPAA fines could result from a number of different situations. In most cases, the penalties apply to a covered entity or self-employed person who fails to take reasonable measures to protect personal health information. In other cases, the fines may apply to a covered entity or self-employed person who discloses personal health information that puts others at risk. In both cases, the fines may also be applied twice, once for the violation of the privacy rule and second for the subsequent offense.