Per the letter of the law, covered entities must implement reasonable safeguards, limit incidental uses, and avoid prohibited uses and disclosures of PHI, including in connection with the disposal of such information.
HIPAA’s Impact on Health Care
HIPAA helped shape the way information is handled and disposed of in the health care industry.
- It provides a way to help workers (and their families) transfer and continuation of their health insurance coverage if or when they lose or change jobs.
- It helps create a set of industry-wide standards for billing and processes—specifically electronic billing.
- It mandates the protection and confidential handling of PHI.
- Most importantly, it aims to reduce health care fraud and abuse.
The security requirements for these laws are covered in the privacy rule and security rule stated in this law.
HIPAA requirements were then modified as part of the health information technology for economic and clinical health act (HITECH). These laws and requirements are overseen by the Office of Civil Rights in the Department of Health and Human Services.
Updates to HIPAA’s Requirements
HIPAA security rules changed again with the American Recovery and Reinvestment Act. Some of these changes included:
Who Is Covered Under HIPAA
The law now places the same security requirements to business associates as covered entities, which includes administrative, physical, and technical safeguards mandated by the security rule.
Businesses are now required to appoint a security official, develop written procedures, and train its workforce on safeguarding private health information. They are now also subject to civil and criminal penalties under HIPAA.
Security Breach Notification Requirements
Covered entities and businesses must notify individuals of security breaches that occur when PHI is compromised through accidental exposure or theft.
This notification must be via mail or email depending on the preferences of the individual.
Large security breaches (more than 500 individuals) require that a “prominent media outlet” and the Department of Health and Human Services (HHS) also be notified and that a website run by HHS is maintained and updated with public disclosure of breaches.
Penalties for Security Violations Increased Significantly
The fine per violation grew from $100 per individual with a cap of $25,000 to $1,000 per individual with a cap of $100,000, along with a fine of $10,000 for willful neglect that caps at $250,000. A $50,000 fine with a cap of $1.5 million per calendar year will be imposed if problems are not corrected properly.
Expansion of Who May Sue for HIPAA Violations
Fines for violations can now go to individuals and their lawyers, which dramatically increases the incentives for lawyers to bring lawsuits. State Attorneys General can also bring about action against covered entities and businesses on behalf of their residents.
HIPAA has changed the healthcare landscape and brought unprecedented protection for Americans and increased accountability for health care providers and their business associates. To learn more, please visit the US Department of Health and Human Services.