If you’re the owner of an SMB (small to medium business), you may be wondering if the 1996 Health Insurance Portability and Accountability Act (HIPAA), the set of regulatory standards which outline the lawful use as well as the disclosure of protected health information, is something your business is legally required to be compliant with.
The short answer is yes. HIPAA compliance is regulated by the Ministry of Health (HHS), and enforced by the Office for Citizens’ Rights (OCR). The law is designed to ensure that all private information on health patients is kept completely secure, and through a series of interlocking regulatory rules, all health organizations and business associates must adhere to HIPAA-compliant guidelines, such as using HIPAA compliant hosting, for example.
The HIPAA basically regulates two types of organizations, which are Covered Entities, and Business Associates. Organizations that process electronic transactions with a health insurer, including Medicare and Medicaid, are considered Covered Entities. Covered Entities would be businesses that directly provide healthcare, such as hospitals, clinics, dentists, psychologists, nursing homes, even chiropractors and pharmacies.
A health care entity that operates on a cash-only basis, with no electronic interactions with a health insurer, is not considered a Covered Entity and therefore is not regulated by the HIPAA.
However, even those organizations are responsible for keeping medical records private, and are regulated by the FTC as well as local state regulations. A cash-only organization may be considered a Business Associate. Some businesses that are commonly considered business associates under HIPAA would be medical billing companies, CPAs, attorneys, IT companies, and software companies, but that isn’t an exhaustive list.
HIPAA requires that all companies, regardless of their industry sector, comply with HIPAA regulations in any event that they handle confidential information of medical patients. In other words, HIPAA regulations apply to your small to medium business if you ever handle any electronically protected health information (ePHI). Thus, every company that has access to protected health information has a responsibility to comply with HIPAA.
The Security Metrics 2018 HIPAA manual contains instructions particularly for business associates, and explains that in order for a company to be considered as running its business in an HIPAA-compliant matter, that business must take steps to ensure that electronically protected health information and private records are forwarded only to providers who also comply with HIPAA requirements. Your business should also be prepared for an HIPAA risk assessment.
While it may sound burdensome to adhere to HIPAA’s strict guidelines, there are benefits to be gained, which is better than the severe penalties for companies found to be in breach of compliance. For example, if ePHI is leaked, an investigation of HIPAA-compliance levels will be conducted. If the violation occurred due to ignorance, a fine of up to $50,000 can be levied against the company per violation. In 2018, Anthem paid a record $16 million USD fine to the Office for Citizens’ Rights, for compliance issues that saw 78.8 million patient records stolen in a data breach.
While HIPAA regulations are designed mostly for patients’ protection, being in compliance does offer some benefits to the company. It reduces executive and organizational liability, as well as protecting staff members from personal liability, and in that way, it can be considered as a sort of insurance policy for companies that handle ePHI, in the event of stolen data.