The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a covered regulation and federal law that was implemented in recognition of the increased dangers associated with the ever-increasing amount of personal and private health data stored and transferred in electronic form in the modern era.
HIPAA is served by three key rules:
The key thing to remember about HIPAA rules is that it establishes that ownership of personal health data belongs to the individual, that it must remain accessible to the individual, and that it cannot be shared without consent. However, it’s not just about the risk of healthcare fraud. It also ensures that such data must remain available and enforces things such as archiving as well.
As with any federal regulation, HIPAA defines who is covered by the regulations and must abide by them. These organizations are referred to as covered entities. A covered entity in HIPAA is defined as one of the following:
In addition to covered entities, HIPAA rules also apply to business associates, which are, as the name implies, organizations that do business with the covered entity and make authorized use of protected health information, but only in a manner specified by the covered entity, and only if required safeguards and processes are in place. Business associates will be covered in more detail in another article.
If you fall under the category of a covered entity, you are ultimately responsible for any data breach that occurs with PHI data that originates with you. You must comply with the HIPAA rules and regulations in order to stay compliant as a covered entity. If a breach occurs with any business associate (or any business associate of a business associate) in your established chain of custody, the responsibility for the breach can be shared with the entire chain on up to the covered entity. For this reason, it is very important to ensure that any organization you share protected health information with is not only HIPAA compliant, but that they understand the privacy and security rules, as well as their responsibilities in ensuring that anyone they share such information with is equally aware of their responsibility.
HIPAA violations can be costly not only to the organization involved but also to any individual involved. The least penalty might mean the loss of your job, and if it is a willful and criminal violation, can result in criminal penalties including hefty fines or even jail time. From an organizational perspective, fines can be high enough to easily bankrupt small to mid-sized organizations. The highest fine recorded for 2022 so far was 875000$, but as recently as 2021, the highest recorded fine was 5.1 million dollars. In earlier years, heftier fines still are listed, and the potential for such large fines is ever-present.
Chances are, you don’t become a covered entity… You either are one and aware of it, or you are not. Covered entities are well-defined, and even if you are creating a new business as a health plan provider, or are setting up a new doctor’s office, or nearly any business within the health and human services, the industry requirements make it very clear that you fall under HIPAA regulations and must be HIPAA compliant as a covered entity.
The better question to ask may be how to verify that you are indeed compliant, and there are numerous organizations that can help with this if just starting out. Flatirons Development is certified by and ensures compliance for any project requiring it through an organization called AccountableHQ. There are a number of organizations that can help you to verify you are properly trained and certified, but Accountable HQ is one of the industry leaders and can help with HIPAA, GDPR, CCPA, ADA, and more.
Flatirons Development is a HIPAA-compliant vendor that hires only top-tier talent, and does not limit itself to resources from within the United States. Our search for the most experienced and talented software engineers spans Latin America and North America and provides us with an amazing team of onshore and nearshore resources ready and willing to tackle your projects. We build your applications from scratch in-house, and also offer outsourcing services, filling individual gaps within your team or entire teams operating under your organization’s processes and oversight. And yes, we can also help with HIPAA compliance. Contact us to discuss your project.