HIPAA FAQ

Before engaging in a HIPAA audit, it’s important to know the difference between a covered entity and a business associate because HIPAA has different requirements for each group.

As a recap, there are three rules, and only one is mandatory:

1. Security Rule: Mandatory for both covered entity and business associates
2. ‍Breach Notification Rule: Optional for Business Associates and Mandatory for Covered Entity
3. Privacy Rule: Optional for Business Associates and Mandatory for Covered Entities

A covered entity is your typical health care organization (private, employee, state, or federal), such as: 

1. Health Insurance companies
2. HMOS
3. Government programs like Medicaid
4. Doctors
5. Clinics/Hospitals
6. Psychologists
7. Dentists
8. Chiropractors
9. Nursing homes
10. Pharmacies

These healthcare providers use the services of other individuals or businesses to help carry out their healthcare functions. These are the business associates. Some examples include:

1. A third-party administrator that assists a health plan with claims processing.
2. A CPA firm whose accounting services to a health care provider involve access to protected health information.
3. An attorney whose legal services to a health plan involve access to protected health information.
4. A consultant that performs utilization reviews for a hospital.
5. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
6. An independent medical transcriptionist that provides transcription services to a physician.
7. A pharmacy benefits manager that manages a health plan’s pharmacist network.

HIPAA violations depend on the type and severity of the violation. There are two types of violations:

1. Civil violations
2. Criminal violations

Civil violations result from:

1. Lack of knowledge from the covered entity or business associate unaware of the HIPAA rules. The fines can go between $100 to $60,000 per violation
2. Reasonable cause and not willful neglect – the covered entity or business associate should have known the action would violate HIPAA but was not aware at the time. The fine can go between $1000 to $60,000 per violation
3. Willful neglect, corrected within 30 days – the violation was caused by willful neglect, but the covered entity took corrective action within 30 days. The fine can go between $12,000 to $60,000 per violation
4. Willful neglect, not corrected within 30 days – the violation of HIPAA rules constitutes willful neglect, and the entity made no attempt to correct the violation within 30 days. The fine can go between $60,000 to $1,000,000 per violation

Criminal violations result from:

1. Wrongful disclosure of PHI,  the individual should have known better and, due to lack of knowledge, didn’t know they violated a rule. Up to $50,000, up to one year in prison, or both.
2. Wrongful disclosure of PHI under false pretences obtaining PHI under false pretences or disclosing it without permission. For example, a hospital employee cannot access the records of patients who aren’t under their care. Up to $100,000, up to five years of prison time, or both.
3. Wrongful disclosure of PHI under false pretences with malicious intent occurs when the individual who commits the crime wrongfully obtains PHI with the intent to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm. Up to $250,000, ten years of prison time, or both.

HIPAA violations should be taken seriously and require special care. The below steps should be taken following a violation:

1. An investigation of the incident
2. Conducting a risk assessment to evaluate the level of compromise
3. Providing further training, as appropriate, to the individual(s) responsible for the violation

Depending on the results of the risk assessment, the next steps may be required:

1. Notification of the individual(s) whose privacy was violated
2. Reporting the breach to the Department of Health and Human Services Office for Civil Rights (OCR)

In particular, for business associates:

Business associates should inform their covered entity immediately in the event of a HIPAA violation. HIPAA requires notification within 60 days.

HIPAA violations should be taken seriously and require special care. The below steps should be taken following a violation:

1. An investigation of the incident
2. Conducting a risk assessment to evaluate the level of compromise
3. Providing further training, as appropriate, to the individual(s) responsible for the violation

Depending on the results of the risk assessment, the next steps may be required:

1. Notification of the individual(s) whose privacy was violated
2. Reporting the breach to the Department of Health and Human Services Office for Civil Rights (OCR)

In particular, for business associates:

Business associates should inform their covered entity immediately in the event of a HIPAA violation. HIPAA requires notification within 60 days.