HIPAA Security

What is HIPAA Security?

The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 with the original purpose of improving the efficiency and effectiveness of the U.S. healthcare system. Over time, several rules were added to HIPAA focusing on the protection of sensitive patient information.

Covered entities under HIPAA include health plans, healthcare clearinghouses, and any healthcare provider that electronically transmits information such as health claims, coordination of benefits, and referral authorizations. Covered entities comprise individuals, organizations and institutions, including research institutions and government agencies.

In 2013, the Omnibus Rule, based on the Health Information Technology for Economic and Clinical Health (HITECH) Act, extended HIPAA to business associates, which can include attorneys, IT contractors, accountants, and even cloud services.

Consequences of Noncompliance

HIPAA requires covered entities including business associates to put in place technical, physical, and administrative safeguards for protected health information (PHI). These safeguards are intended to protect not only privacy but also the integrity and accessibility of the data.

The Department of Health and Human Services Office of Civil Rights (OCR) enforces noncriminal violations of HIPAA. Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per calendar year.

Many OCR HIPAA settlements have resulted in fines over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.

In addition to civil penalties, individuals and organizations can be held criminally liable when obtaining or disclosing PHI knowingly, under false pretenses, or with the intention to use for commercial gain or malicious purpose. Criminal offenses under HIPAA fall under the jurisdiction of the U.S. Department of Justice and can result in imprisonment for up to 10 years, in addition to fines.