In terms of security, 2019 has been one of the most dreadful years in the healthcare industry. 41.2 million healthcare records were exposed, stolen, or impermissibly disclosed in 2019 alone. It has been recorded as the second-worst year for healthcare data breaches, with more records affected than in the previous three years combined. But the scary part is that healthcare organizations are not alone to blame.
Whether they are aware or not, countless companies across several key industries face the risk of being hit with hefty penalties, fines, or criminal charges due to HIPAA non-compliance. To be more specific, it is due to the lack of awareness and proper implementation of HIPAA compliance requirements for business associates.
While the stipulations of the Health Insurance Portability and Accountability Act (HIPAA) usually lead to visions of medical offices and hospital waiting rooms, the set of regulations also apply to many non-medical businesses.
So the question is, how can you know if your business needs to be HIPAA compliant? Let’s take a look at a few key facts that all business owners should consider when it comes to complex compliance measures.
HIPAA applies to more than just hospitals and healthcare facilities
A common misconception about HIPAA is that people believe it only applies to hospitals and physicians. On the contrary, HIPAA compliance requirements also extend to non-medical businesses such as attorneys, law firms, consultants, insurance agents, advisors, and agents. Under HIPAA, these types of firms are called business associates.
The reason is these companies often perform tasks on behalf of covered entities that involve access to sensitive patient data, which makes them equally responsible for meeting the rules and regulations outlined in HIPAA. However, not all attorneys, law firms, etc. are required to comply with HIPAA. Determining when a non-medical business needs to maintain compliance is the trickier part. Simply put, if your job functions require you to access sensitive patient data, regardless of how you have acquired that access, then you must ensure HIPAA compliance.
Any entity that collects, maintains or transmits protected health information (PHI) should ensure compliance. If your company hasn’t started ensuring HIPAA compliance yet, then you need to act before it’s too late.
Countless numbers of business associates are still in the dark
After the passage of the Final Omnibus Rule in 2013, business associates are responsible for meeting HIPAA compliance requirements. Just like any healthcare organizations, business associates can also be audited, investigated, and fined for compromising PHI.
Yet surprisingly, many businesses remain in the dark and are unaware that they must adhere to HIPAA rules and regulations and that they are in danger of getting hit with heavy penalties if and when they are caught violating HIPAA stipulations.
A survey conducted by Legal Workspace suggests that the majority of the law firms are not complying with HIPAA rules and regulations, even though their work involves dealing with patient data. And that’s not all. One of the worst incidents from last year involved the breach of 20 million patients’ information that was caused by a business associate and not a healthcare facility.
The problem is many covered entities still do not understand what qualifies as a business associate. If you still do not understand what business associates mean, you might want to look up how the Department of Health and Human Services (HHS) defines business associates.
Simplify your compliance efforts to avoid dangerously high penalties
HIPAA violations should be taken seriously. Many organizations have been penalized by HHS for non-compliance in recent years. To make matters worse, fines have been increased. This means that even a single instance of violation, whether intentional or inadvertent, could cost you millions of dollars in fines.
To ensure HIPAA compliance many organizations are using software and tools, such as HIPAA compliance software to streamline their compliance efforts. Many of these tools have the means to help organizations identify gaps in their practice and the means to close down the gaps. It is also recommended to have appropriate security measures in place and to encrypt data, both when it’s in transit or at rest.
HIPAA compliance does not have to be frustrating. With the right kind of tools, even HIPAA compliance can look simple.
This post may contain affiliate links.