HIPAA legislation is so far-reaching, and covers so many different scenarios, in this article we hope to provide an outline of what medical professionals need as you review your HIPAA compliance process.
Understanding all that is affected by HIPAA is not easy. Current legislation is comprised of the original 1996 Healthcare Insurance Portability and Accountability Act with additional sections added via the Privacy Rule of 2000, the Security Rule of 2003, The Enforcement Act of 2006, the Health Information Technology for Economic and Clinical Health Act (HITECH) and the American Recovery and Reinvestment Act introduced in 2009 (ARRA).
Final rules were enacted in 2013 adding more changes to how HIPAA is to be adopted.
HIPAA email rules require that covered entities to implement controls, audits, integrity processes, ID authentication, and transmission security have to be fulfilled in order to:
- Restrict access to ePHI
- Monitor how ePHI is transmitted
- Ensure the integrity of ePHI
- Ensure 100% message accountability, and
- Protect ePHI from unauthorized access during transmission
Any individual has the right under the Privacy Rule to request that the health care provider communicate with them by alternative means or at alternative locations. If a patient believes that HIPAA rules have been violated by the health care provider, they may file a complaint with the federal government. In most cases, complaints are investigated. Action may be brought against the covered entity if the complaint is substantiated and it is established that HIPAA rules may have been violated.
The specific actions taken against the covered health care provider will depend on many factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA rules.
The HHS Office for Civil Rights (OCR) has had the power to issue financial penalties to covered entities that fail to comply with HIPAA rules. To read the 2013 Final Rules, please visit this link.
The table below outlines the minimum and maximum fine, per violation
|Penalties for HIPAA Email Violations (per violation, per year)||Minimum Fine||Maximum Fine|
|Could not have avoided with reasonable care||$100||$50,000|
|HIPAA email violation despite reasonable care||$1,000||$50,000|
|Willful Neglect – Corrected within reasonable time||$10,000||$50,000|
|Willful Neglect – Not corrected||$50,000||$1,500,000|
What is Considered Protected Health Information (PHI)
HIPAA regulations call out eighteen personal identifiers which, when linked together, are classed as Protected Health Information. These eighteen personal identifiers are:
- Patient names
- All geographical data smaller than a state
- Dates (other than year) directly related to an individual
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web addresses
- Internet protocol (IP) addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
Now that you recognize how imperative it is that you make all your communications and your medical website HIPAA compliant, the question remains just how do you go about it?
Making your website HIPAA compliant extends far beyond basic encryption, and the only way you can avoid this is if your website doesn’t hold or collect personal information and does not incur any third party transactions.
For people who want to make their website HIPAA compliant, the first thing to do is to secure your website using SSL (Secure Sockets Layer). If you have visited sites with this prefix https:// then you should know what I mean already. This protocol encrypts communication between server and browser so your site has to have it to comply with HIPAA laws.
To further boost your site’s security in compliance with HIPAA, you can install high-security data collection forms, this gives your site extra protection against hackers and phishers who may want to hack your website. Always remember that basic website templates and websites built more than 3 years ago will not provide the level of security your website needs, so it’s always a smart decision to go with a company that fully understands what’s involved to upgrade your email and forms and what’s at risk for you if you do nothing.
Don’t put your practice at risk; work to protect the privacy of your patient’s information. If you want a modern, clean, responsive website that complies with HIPAA rules, you should contact us today. Unless, of course, you would prefer to pay those hefty fines that come with non-compliance with HIPAA rules.