If your organization handles sensitive information like medical records, it's important to comply with HIPAA to safeguard patient privacy and avoid penalties. You may be wondering:
How do I know which HIPAA Privacy Rules apply to my organization?
Answer: All HIPAA Privacy Rules as well as the Administrative Simplification Rules apply to covered entities. Covered entities are any health plans, health care clearinghouses and health care providers that electronically conduct transactions with certain health information. Use this guide to determine if you are a covered entity.
HIPAA Privacy Rule components
The HIPAA Privacy Rule is extensive and covers a number of patient privacy regulations. However, you can break down the law into three main sections:
- Information safeguards: Covered entities must have policies and procedures in place to safeguard protected health information. Whether your organization is a small practice or a large-scale hospital, workforce members cannot leave a medical record open on the receptionist's desk, for instance. Additionally, your organization must write the policies down so auditors can see what measures you have taken to ensure PHI is not unnecessarily disclosed.
- Conditional disclosures: Health care providers cannot release PHI without a patient's authorization unless the disclosure is necessary for treatment, payment or health care operations. Learn more about what constitutes an authorized disclosure on the U.S. Department of Health and Human Services website.
- Patient rights: HIPAA defends patient privacy rights, but it also enforces the patients' liberty to remain informed. If a patient requests his medical record, a covered entity must deliver the documents within 30 days. The patient also has the right to revoke his authorization of PHI disclosure, and covered entities must provide instructions on how all patients can do so.
Penalties related to noncompliance
The HHS reserves the right to determine the penalty based on the nature and extent of the violation and harm done, though civil penalties are categorized by culpability. According to the American Medical Association, the minimum penalties are as follows
- An individual unknowingly violated HIPAA: $100 per violation.
- An individual violated HIPAA due to a reasonable cause: $1,000 per violation.
- An individual violated HIPAA as a result of willful neglect but corrected the issue: $10,000 per violation.
- An individual violated HIPAA as a result of willful neglect and did not correct the issue: $50,000 per violation.
Covered entities must remain informed about HIPAA and have adequate tools in place to ensure compliance, protect patient privacy and prevent violations and fees.