The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act) and HITECH Act (Health Information Technology for Economic and Clinical Health Act). The HIPAA Privacy and Security Rules established national standards to protect individuals´ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rules requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rules also gives patient’s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The HITECH Act expands Federal privacy and security protections for healthcare information. As healthcare providers move toward exchanging large amounts of health information electronically, this legislation aims to ensure that such information remains private and secure.
Who must be compliant?
Organizations that must comply with HIPAA include healthcare providers, health care clearinghouses, such as billing services and community health information systems, and any provider that transmits healthcare data in a way that is regulated by HIPAA. The HITECH Act expands the scope of HIPAA, ensuring that entities that were not established when the Federal Privacy Rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers. The cost of compliance and validating compliance with HIPAA and HITECH depends on several factors. This includes the nature of the covered entity, volume of transactions managed each year, data handling and storage practices, and the IT infrastructure within the organization. Many organizations have faced sanctions, regulatory oversight, and heavy fines because they did not properly protect sensitive healthcare information.
The cost of being compliant significantly outweighs the cost of doing nothing. Non-compliance may result in:
Incidental violations with fines from $100 per incident up to $25,000 for the same violation per calendar year.
Wrongful disclosure, prosecuted by the Department of Justice, with penalties for responsible parties ranging from $50,000 and 1 year in prison up to $250,000 and 10 years in prison.
Lawsuits, including class action lawsuits, by parties claiming that they have been damaged or suffered loss can be extremely costly.
Ongoing Federal oversight
Loss of customers
Loss of patient confidence
Termination of contracts