Posted on: August 14, 2018 by Manchester Specialty
Established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) set national standards for the confidentiality, security and transmissibility of personal health information (PHI). PHI includes names, birthdates, phone numbers, emails, Social Security numbers, medical record numbers, health insurance, biometric identifiers and other data created or collected by a covered entity (or a business associate of a covered entity), and can be linked to a specific individual. The Department of Health and Human Services (HHS) defines covered entities as health care providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and government agencies.
Under the HIPAA Privacy Rule, health care providers, including home health care and hospice organizations, are required to protect and keep confidential any personal health information. The rule also sets limits and conditions on its use and disclosure without patient authorization. It gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.
HIPAA violations can result in significant fines by the HHS’ Office for Civil Rights (OCR), up to $1.5 million. Additionally healthcare providers can be at risk for sanctions or loss of income. In 2017, alone, OCR imposed $19,393,000 in fines from covered entities and business associates to resolve HIPAA violations.
How does OCR go about enforcing HIPAA and determining a resolution?
OCR is responsible for investigating all filed complaints, conducting compliance reviews to ensure covered entities are in compliance, and performing education and outreach to encourage compliance. Once OCR determines if they will investigate a complaint, it notifies both the person that filed the complaint and the organization named in it. Both parties are then asked for information about the incident described in the complaint. By law, covered entities must cooperate with complaint investigations. Upon reviewing the information or evidence for each case, OCR determines whether the organization violated the requirements of the HIPAA Privacy Rule. If it concludes that a violation was made, it will ask that the organization voluntarily comply and suggest a corrective action, and/or resolution agreement. When an organization doesn’t comply, OCR may fine the organization with civil money penalties. If the organization is fined, it can have an HHS administrative law judge decide if the fines are supported by the evidence in the case.
What are the more common reasons for HIPAA violation citations? Following is a list compiled by the Heath IT and CIO Report:
Making privacy and security of patient information a priority is critical for the continued success of a home health care provider. Not only can the organization find itself in violation of HIPAA law, the exposed data can lead to nefarious use by cyber criminals exposing the provider to third-party lawsuits. All providers should ensure that their training materials are current and conduct annual HIPAA training to prevent potential violations. In addition, be sure your clients carry Cyber liability insurance in the event of a breach, and Professional Liability insurance which can often be endorsed to cover the costs of HIPAA proceedings, fines and penalties.
Manchester Specialty Programs offers a Cyber insurance solution designed for home health care providers, which also includes valuable cyber management and loss prevention assistance through our carriers and third-party consultants. We also provide Professional Liability insurance coverage that can include coverage relative to HIPAA violations, fines and penalties. For more information about our Cyber and Professional Liability insurance solutions and how you can assist your clients, please contact us at 855.972.9399
Sources: Health IT & CIO Report, Total HIPAA Compliance
Posted in: Home Healthcare Providers