When you store and protect data regarding patient health information, you have to do so according with HIPAA’s strict standards. If you don’t, you could cost yourself $1.5 million per year in fines!
At a very general level, HIPAA requires you to take appropriate measures to safeguard private health information. And if you have an IT support vendor you already contract with, that contract must cover the protection of health information. And yet, many healthcare businesses don’t do this! HIPAA Requires a Lot from “Business Associates” that Provide this Service. To HIPAA, a “business associate” is an entity that arranges, creates, receives, maintains, or transmits legally protected health information on behalf of a “covered entity.” A covered entity is you, the healthcare organization.
What Do You Have to Do?
There’s a lot of regulation in this regard. And this isn’t everything you need to do, but it gives you a rough idea of some things you do need to do:
1. Covered entities must clearly define how business associates can use protected health information.
2. Contracts signed between the two parties must state business associates will only use protected health information as HIPAA law or the contract requires.
3. Your business associate must report any data protection breaches.
4. Your business associate must take all appropriate measures to comply with the HIPAA Security Rule.
5. The business associate must offer protected health information as patients need it, and the information must be available for alteration when needed.
6. The business associate must also comply with the HIPAA privacy rule.
7. Your business associate must provide USDHHS with all documents regarding all internal records to determine compliance with the HIPAA privacy rule.
8. The business associate must destroy or return all protected health information from the covered entity if both parties end their contract.
9. Subcontractors of the business associate must agree to work under the same regulations governing the business associate’s handling of protected health information.
10. If any regulations regarding protected health information are violated by the business associate, the covered entity must terminate the contract.
What Penalties Could You Get?
Any HIPAA violations you cause could cost your company a lot. Here’s a rough breakdown of what could happen:
1. Did Not Know – $100 – $50,000 fine per violation
2. Reasonable Cause – $1,000 – $50,000 fine per violation
3. Willful Neglect – Corrected – $10,000 – $50,000 fine per violation
4. Willful Neglect – Not Corrected – $50,000 fine per violation
In all cases, if you violate identical provisions within the same calendar year, you can get fined up to $1.5 million total. HHS does hand out these fines in accordance with the size of the company, so you don’t have to worry about going bankrupt overnight.
But, they still can be fairly significant.
If You’re a Healthcare Company:
You need to be taking the proper data protection security measures to stay in compliance with HIPAA!
And if you have an outsourced IT vendor, you must have a contract in place stating how the vendor (aka “business associate”) will take care of these data security measures.
Learn more about the author Bob Martin