MINORITY & VETERAN OWNED

MINORITY & VETERAN OWNED

HIPAA COMPLIANCE

Securing Protected Health Information (PHI) is serious business.  If your organization accesses, processes, or stores PHI, you’re subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), in force since 1996.  Code violations are met with high fines, criminal charges, civil suits, and, of course, customer defection. These consequences are the same whether the breach was the result of maliciousness, negligence or just unwitting mistakes.  No business, no matter how big or small, can afford to be complacent. 

It is your duty to fully understand and implement all of the requirements of HIPAA and to make sure your employees are informed and your data systems secure.  You are responsible to the individuals that HIPAA is meant to protect, and TMPC will ensure that you understand what is required of you and that you meet those requirements effectively and efficiently.

TMPC’s strategies will help you communicate your policies to your team, monitor compliance, and run instant security reports, all while putting you in a better position to demonstrate your compliance to auditors, ensuring that your business can keep doing what it does best.

 

FREQUENTLY ASKED QUESTIONS

WHAT ARE THE BASIC HIPAA RULES?

    1. The HIPAA Privacy Rule dictates the proper uses and disclosures of protected health information (PHI). The rule also gives individuals rights over their PHI, including rights to review or request a copy of their health records to to direct a company who possesses their PHI to transmit it to a third party.
    2. The HIPAA Security Rule requires that covered entities meet national standards for protecting the creation, use, maintenance, transmission and receipt of PHI.  This rule requires a combination of physcial and technical safeguards to ensure confidentiality, integrity, and security of PHI.
    3. The HIPAA Breach Notification Rule  requires all PHI breaches to be reported to affected individuals, the Department of Health and Human Services, and, in the case of larger breaches, the media to help ensure that all affected individuals have been informed.

 

WHAT IS A BUSINESS ASSOCIATE?

Under HIPAA, business associates are third party organizations that work with PHI on behalf of covered entities. This includes companies that offer billing support or provide software. To stay complaint a covered entity must obtain a Business Associate Agreement (BAA) before any PHI is shared with a business associate, and that agreement is a legal document that requires both parties to be HIPAA compliant.


WHAT ARE THE PENALTIES FOR VIOLATING HIPAA?

There can be both financial penalties and criminal consequences for HIPAA violations. The Department of Health and Human Service’ Office for Civil Rights issues penalties according to four tiered levels from errors at mostly-compliant covered entities to willful neglect that has not been addressed within 30 days. Depending on the number of people affected, the length of time a violation was permitted to persist, and the nature of the PHI exposed, fines at all tier levels can be up to almost $2 million, with even minor violations costing almost $64,000.
 

CAN MY ORGANIZATION TAKE CARE OF ITS OWN HIPAA COMPLIANCE?

Yes, and the Department of Health and Human Services has resources you can use to assess, implement, and monitor your compliance.  That said, HIPAA is a complex law with many layers of requirements, both physical and technical, and most organizations choose to work with a third party, like TMPC, to help them protect their PHI security environment to avoid costly fines or even criminal charges.

TMPC HIPAA CHECKLIST

     POLICIES

Have clear policies in place for mitigation, to be renewed every year and updated as needed. TMPC can help you create clear and thorough policies that are easy to communicate and implement.

     HIPAA COMPLIANCE OFFICER   

Appoint a team member as your organization’s HIPAA Compliance Officer (HCO).  This person will serve as your HIPAA expert for the whole organization, offering training and keeping up to date on technology compliance and revisions to the law, if they occur.  We can help you get your HCO up to speed so they can keep your team informed.

     RISK ASSESSMENT

HIPAA requires risk assessments annually to determine risks and identify vulnerabilities in your security environment.  Then, you are required to address those weaknesses and gaps in a timely manner to stay compliant.

     TRAINING

Support and ensure that your HCO offers annual HIPAA training for all staff, as well as regular training while onboarding new members.  A HIPAA program is only effective if ALL stakeholders understand both its importance and how to comply.

    MITIGATION

Even with the best strategies in place,  breaches occur due to simple errors, hackers or, sometimes, sour employees.  TMPC can help you develop clear remediation policies, to be renewed every year and updated as needed.

    ASSESS THIRD PARTY COMPLIANCE

If working with business partners outside of your organization–individuals and companies alike–assess their HIPAA compliance standards annually.  If you don’t, and they have a breach, then the reality is that you have a breach.  Make sure your business associates know what they’re doing.

     REPORTING BREACHES

The HIPAA Notification Rule requires you to notify the Department of Health and Human Services and patients when there is a breach of their PHI.  Report breaches without delay and ensure that all team members understand the importance of reporting and how to do it.