The Department of Health and Human Services (“HHS”) recently released a HIPAA overview called “HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules” (the “Overview”). The Overview is intended to provide HIPAA Covered Entities such as physicians, hospitals, and other health care providers with a basic overview of HIPAA’s rules and responsibilities. The fact sheet also provides an overview to Business Associates (such as law firms and accounting firms who receive PHI from Covered Entities). The Overview can be found here.
The Overview explains that the HIPAA Privacy Rule protects individually identifiable protected health information (“PHI”), which includes information such as an individual’s past, present, or future physical or mental health condition.
The Overview reminds Covered Entities of their obligations under the HIPAA Breach Notification Rule to notify affected individuals, HHS and, in certain instances, the media in the event of a breach of PHI. The Overview includes a table explaining who must receive notification in the event of a breach and when they must receive notification, depending on how many individuals are affected by the breach.
In addition, the Overview explains who must comply with HIPAA. Covered Entities and Business Associates generally must follow HIPAA rules. Covered Entities include health care providers and health plans, while Business Associates include persons or organizations that perform certain functions for Covered Entities that involve access to PHI. The Overview lists examples of both Covered Entities and Business Associates.
Finally, HHS provides a link for more information on the enforcement process, and reminds those obligated to comply with HIPAA that violations may result in civil and, in some cases, criminal penalties. While HHS cites a couple of hypothetical examples of HIPAA enforcement, HIPAA violations - and the consequences thereof - are very much real world problems for those subject to HIPAA and its regulations.
For example, St. Elizabeth’s Medical Center, a Massachussetts hospital, recently agreed to pay $218,400 to the federal government to settle allegations of data breaches of patient information. The hospital had been using an Internet-based document sharing application to store documents containing electronic PHI of nearly 500 patients without first analyzing the risks associated with the platform. It also reported a data breach involving PHI on a former employee’s personal laptop and flash drive. In a statement, HHS’s Office for Civil Rights explained that, “Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.”
HIPAA is, and will continue to be, a hot and evolving topic in healthcare. For those subject to HIPAA, the obligations are significant and penalties can be steep. It is important to stay on top of HIPAA's developments in order to reduce accidental violations and avoid penalties. If you have any questions about HIPAA and how it impacts your business.