HIPAA violations can cost your practice, bigtime. There are federal fines for noncompliance based on the amount of negligence within your individual organization at the time of the violation. In human terms, fines range from anywhere between $100 and $50,000 depending on how out of line your organization is with HIPAA standards. Staying within compliance with the HIPAA is a smart business decision. It earns you trust from your customers and saves you money in fines.
There are only three main rules to follow as a qualifying business under the HIPAA. Stick to the guidelines addressed under the specific subsections of these rules and your healthcare business will be off to a good start.
Rule #1 HIPAA Privacy Rule
The Privacy Rule gives individuals rights to their PHI. This includes the right to examine and get a copy of their health records in the form and manner they request. Individuals may also correct their information if it is not correctly marked on their records. The Privacy Rule permits the disclosure of health information needed for patient care.
Rule #2 Security Rule
Covered entities must develop and put in place reasonable security measures through policies and procedures to protect the security of ePHI. Any ePHI created, transmitted, or maintained must be protected. Analyze the risks of ePHI in your businesses specific environment. Use this analysis to create solutions appropriate for your own situation. What is appropriate completely depends on many factors. Keep in mind the type of business, the amount of customer data stored, and the size of the business.
Rule #3 Breach Notification Rule
The HIPAA Breach Notification Rule requires entities to notify affected individuals of a breach of unsecured PHI. Generally, a breach is an impermissible use under the Privacy Rule that compromises the security or privacy of PHI. The disclosure of PHI is presumed to be a breach unless you show there is a low probability the PHI has been compromised based on a risk assessment.
Provide notifications no later than 60 days following the breach discovery. Submit breaches affecting fewer than 500 individuals to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.
Fines & Penalties
First Tier- The covered entity did not know and could not have reasonably known about the breach. This would cost your business between $100 and $50,000 per incident up to 1.5 million.
Second Tier- The entity knew or should have known of the violation, though they did not act. This would cost your business between $1,000 and $50,000 per incident up to 1.5 million.
Third Tier- The company corrected the problem within 30 days of the violation. This would cost your business between 10 and 50 thousand dollars per incident up to 1.5 million.
Fourth Tier- The company failed to make a timely correction to the problem. This would cost your business $50,000 per incident up to 1.5 million.
Steering clear of any sort of HIPAA violations/fines can save your business countless hours and dollars. If you still have questions, you can contact a risk advisor today at 914-357-8444.