In today’s increasingly digital times, data has become an integral part of healthcare operations. For example, it lets clinics, hospitals, and insurance companies store patient data electronically, allowing for more efficient filing. It’s also used in research to develop new treatments and improve the healthcare experience. In fact, the National Institutes of Health announced that they’re enrolling more than one million patients into their database — which includes their medical history, imaging results, and socio-behavioral diagnostics — to be able to provide guidelines on how healthcare facilities can provide better patient care in the future.
Of course, while data is useful, there’s also the huge responsibility that comes with handling it. To protect patient data, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. One of its provisions (Section II) restricts healthcare organizations’ ability to share patient data — and the consequences for violating the rules are grave.
Civil vs. Criminal penalties
When a HIPAA rule is broken, you and your employees can receive either of two charges: civil or criminal. Civil is for instances where data is “unintentionally” leaked, like when databases are hacked. The civil penalty structure is entirely monetary and is considered Civil Monetary Penalties (CMP). Depending on the extent of the damages, the Office for Civil Rights can charge CMP anywhere from $100 to $50,000 per violation, also considered “per record,” with a $1.5M maximum penalty per year.
On the other hand, criminal penalties are handled by the Department of Justice and are given to those who “knowingly” obtain or disclose health information. In this case “knowingly” is interpreted as requiring only knowledge of the specific act that violated the law — and knowledge of those actions being in violation of the HIPAA is not required.
Aside from a fine, the accused can be sentenced to prison. There are three levels of criminal penalties:
• Criminally negligent breaches caused by the organization or its employees,
• Sharing patient data to deceive others, or
• Leaking patient data for commercial advantage
Criminally negligent breaches are fined up to $50,000, and the guilty members involved are imprisoned for a year. Meanwhile, if data is shared on false pretenses, the penalties can reach up to $100,000 and five years of imprisonment. Finally, if it’s discovered that someone from the organization intentionally sold data to advertisers, they can be sentenced to up to ten years in prison and $250,000 in damages.
Who is at risk of violating HIPAA?
While violations can come from any professional, some are more at risk than others. If you want to avoid HIPAA’s consequences, you need to be stricter on your policies with the following people:
PAs, NPs & Other Healthcare Providers
As the main healthcare provider, doctors have free access to all their patient’s Protected Health Information (PHI). People can choose not to disclose their medical history, of course, but they can’t do so selectively. Once the patient signs their consent, their entire history becomes accessible. While HIPAA policy states that doctors only need to be retrained when the regulations change, it’s good practice to hold HIPAA compliance training at least once a year so they never forget the rules.
Nurses
Since handling PHI is also part of a nurse’s everyday work, a violation may occur without their knowledge. This is why you need a nurse manager with a great understanding of local policies and regulations. As one of the top careers in nursing, nurse managers are tasked to train and oversee a health institution’s team of nurses. They’re also responsible for briefing nurses about the consequences of HIPAA and what they can do to avoid them. Include annual training into their list of responsibilities as well.
Technicians
Every healthcare organization has some form of tech team that organizes patient data, making records easier to pull out at a moment’s notice. However, a single breach in integrity can cause the organization a lot of damage. Your technicians also need to be specialists in cybersecurity, so they can better protect the records from prying eyes. You can determine their competency in the field with an aptitude test from accredited security institutions like CompTIA Security+, DEKRA, and BSI America.
How can I protect my organization from the effects of HIPAA?
HIPAA charges will cost your organization a lot of money — not just because of the fines but because of the legal services and proceedings involved. But you can prepare to deal with the circumstances with the right insurance policies. For instance, Professional Liability insurances can be modified to cover HIPAA violations. You can even get a separate policy for technicians and other specific jobs. Cyber Insurance is also very important, especially when hackers are rampant in the industry. In fact, healthcare organizations will suffer a lot of cyber attacks in 2021. The computed average is two to three times more than the average for other industries.
Determine points where HIPAA violations can occur and get the corresponding insurance to cover for potential damages. It’ll cost you extra, but the investment will be worth it.
HIPAA policies are strict and complicated, so it’s easy to mess up. Make sure that your employees know the rules and get proper training. And when the worst happens, grant yourself some peace of mind through insurance policies, as well as the suite of services that most Cyber Insurance Companies are providing to their clients. Cyber Insurance Companies can provide you with cybersecurity and HIPAA experts to assist in training and other preventive measures.
Exclusively written for CMFGROUP.com
By: Raizel Jaime
