HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting private medical patient information and can often lead to headaches for those in health care.
With the introduction of new health care technology for storing patient information coming onto the market every day, that also means there is an increase in security risks. From a virus attacking a computer on a secure network to a hacker accessing patient information from a “cloud,” it is important for those in the medical field to have a deep understanding of how to properly protect sensitive patient information.
The Office for Civil Rights requires all medical professionals to have appropriate safeguards in place to protect the privacy of personal health information, which can be a lofty task. HIPAA manuals are hundreds and hundreds of pages long, so it is important for those in charge to seek assistance when compliance questions arise. Even when all the correct protocols are in place, there still can be security incidents — or breaches — meaning there has been an impermissible use of protected health information.
When there is an official breach that needs to be reported to the Office of Civil Rights, one of the main factors that will be looked at is whether the incident was caused by ignorance or negligence. Depending on the severity, there are a large number of risks and consequences that may follow.
Lost time and effort
Rectifying an issue or breach can take a lot of time and energy from leadership. The team will need to work with the Office of Civil Rights to determine exactly how information was compromised, who was responsible, how to prevent it from happening again and ensuring all employees are following the same protocol. It is important to be proactive with measures that decrease potential breaches, as this will save time and money.
HIPAA violations are not cheap. Penalties for noncompliance, which are based on the level of negligence, can range from as little as $100 per violation up to $50,000. The maximum penalty per year for violations is $1.5 million, an amount that could be extremely detrimental to a small or medium-sized practice. Depending on the severity of the situation, criminal fines or jail time also can be introduced.
After there has been a breach of protected health information, if more than 500 residents of a state have been affected, it is required that the entity provide notification to the media, in addition to each individual that was affected. Typically, a press release detailing the breach will be sent to the media and the entity must then respond to any media inquiries. Negative media attention can be difficult to overcome and can lead to loss of trust among their patient base.
Loss of patients
If there is a pattern of breaches within one medical practice or health care entity, this can lead to patients choosing to go elsewhere. Medical information is extremely personal and patients will want to know they can trust their health care provider to keep their records confidential.
In some circumstances, the combination of fines, negative press and loss of patients is too much for a medical practice to overcome and they must close. This is something that should be avoidable if employees carefully follow HIPAA laws and regularly review their security practices.
Understanding HIPAA rules can be difficult and sometimes overwhelming, so it is important to partner with a knowledgeable team that can help with ongoing management of HIPAA compliance. Ensuring there are proactive protocols in place to protect sensitive information and reduce risks of HIPAA negligence will help save time and money in the future.