For most of us, HIPAA is just some strange acronym for a law we stumble across everytime we visit a doctor’s office or medical clinic. Something about signing to allow the office to have access to your medical records so they can treat you. Or something like that. However, if your business has a professional relationship with a medical office, hospital, healthcare provider or health insurance plan, you may well be regulated by HIPAA. This matters because failing to abide by HIPAA privacy regulations can result in serious penalties. Just as an example, check out these dollar figures from HHS, who administers HIPAA.
|All such violations of an identical
provision in a calendar year
|(A) Did Not Know||$100-$50,000||$1,500,000|
|(B) Reasonable Cause||1,000-50,000||1,500,000|
|(C)(i) Willful Neglect-Corrected||10,000-50,000||1,500,000|
|(C)(ii) Willful Neglect-Not Corrected||50,000||1,500,000|
And those numbers are per breach of an individual’s data, not per event. The point is, this looming giant of a law creates a very imposing set of regulations that, if not tightly adhered to, can result in severe liabilities and penalties.
If you are a medical office or a healthcare provider, you are very aware that you are regulated by HIPAA. However, many others are covered by the law and it isn’t always readily apparent who is affected. Cloud service providers, data server farms, attorneys, CPAs, and Managed Service Providers may also be regulated by HIPAA, and ignorance of the law is no defense against penalties and fines for failing to protect patient data privacy.
If your business has access, even just in the aggregate, to personal medical data, you are subject to HIPAA regulations and can be fined if a data breach occurs while the data is under your watch. One of the areas where you are most vulnerable is when the data exists in electronic form. In this case, the opportunity for a data breach to occur increases dramatically. There are so many ways nefarious actors can try to break your data, and simple things like a lost laptop or thumb drive that is not encrypted could subject you to a breach. If you suspect you handle HIPAA protected data and haven’t already been identified as a Business Associate, work directly with the organization that created that data as well as a managed service provider with expertise in HIPAA compliance.