The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets strict standards to protect sensitive patient health information. It is vital for companies that deal with protected health information (PHI) to have effective and stringent security measures in place to ensure that they are HIPAA compliant.
These companies (covered entities) include anyone providing treatment, payment, and any other healthcare operations. It also applies to business associates – (anyone who provides support in treatment, payment, or operations and has access to patient information) and subcontractors. Penalties for noncompliance range from $100 to $50 000 per violation with a maximum penalty of $1.5 million per year depending on the level of negligence. Serious violations could result in jail time.
Due to the seriousness of non-compliance and the hefty fines they carry, all healthcare companies need to ensure that they have an effective HIPAA policy in place and that their staff is adequately trained. This is why many companies take the route to become “HIPAA certified.”
Firstly, it means that you and your staff members do online certification courses (there are many different courses available depending on staff members’ training needs). Secondly, a third-party certification company conducts an audit on your company to see if it is HIPAA compliant. If the audit meets all the Privacy, Security, and Breach Notification Rules of HIPAA standards, you can informally become “HIPAA certified.”
What is HIPAA Certification?
When you and your staff members have successfully completed a certification course, you will be familiar with the HIPAA Act terms and equipped with the knowledge to apply these terms to your organization to ensure it is HIPAA compliant. Many online companies offer these courses, which is why you must do thorough research when looking for a good training company.
After a third-party certification company has done an audit and you are found to be HIPAA compliant, you can become HIPAA certified.
An advantage of a HIPAA compliance certification is that it confirms that a covered entity, business associate, or subcontractor complies with and understands HIPAA regulations, saving covered entities a considerable amount of time conducting due diligence on prospective suppliers.
HIPAA Certification and Compliance
There is a difference between certification and compliance. HIPAA certification means that an organization has completed a process to train the staff to become HIPAA compliant. Compliance is maintained by an organization when adhering to the regulations of HIPAA. Although the certification provides the instructions and guidelines to help an organization become compliant with HIPAA laws, it does not guarantee that the organization will see these guidelines through.
It is important to note that the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) do not endorse HIPAA certifications.
This does not mean that a HIPAA certification is worthless. Professional online courses ensure that your staff is aware of all the HIPAA rules and regulations and what needs to be done to ensure the company is compliant. If a third-party audit finds lapses in compliance, the company has time to correct them, whereas if the OCR finds lapses during an audit, the company may face fines or criminal indictments.
Certification may thus be considered as the next best thing in the absence of a program endorsed by HHS.
Who does HIPAA affect?
When it comes to healthcare, HIPAA affects just about everyone in many ways. Here are a few examples:
- It has an impact on patients, healthcare providers, and insurance companies.
- People who have group insurance coverage through unions and employers are assisted.
- Those self-insured by employers are helped.
- HIPAA impacts all healthcare workers, from physicians to the janitorial crew, for how patients are approached.
HIPAA plays a vital role by ensuring that all healthcare entities working with patient health information must be in complete compliance with the HIPAA law regulations. This reduces fraud, ensures privacy, and improves data systems, saving providers billions of dollars annually.
Why is there no HHS-endorsed HIPAA certification?
HIPAA compliance is an on-going process, and regulations may change in the future. Besides this, there is no guarantee that a HIPAA certified company will remain compliant in the future due to internal changes that may take place in the company’s technologies, business objectives, or staff management policies.
Here are a few warnings and tips to keep in mind:
Because HIPAA regulations are complex and ever-changing, it’s challenging to stay updated with the latest changes and violations. Here are some of the most common violations and how you can prevent them:
- Keeping unsecured records.
All staff members must keep documents with PHI in a secure location. Lock files in a filing cabinet or desk and make sure digital files are encrypted and have secure passwords.
Hacking is a real threat to medical Electronic Personal Health Information (ePHI). Use firewalls and keep antivirus software updated on all devices containing ePHI. Create complicated and unique passwords and change them frequently.
- Lack of employee training.
Employee training is a requirement of the HIPAA law. You must ensure that your staff is thoroughly educated on the law and the policies and procedures of your practice.
- Unencrypted data.
Although this is not a strict HIPAA requirement, it is highly recommended. If a device containing PHI is stolen, encrypted data is an added protection. It’s also an additional layer of security if a password protected device is hacked.
- Gossiping/sharing PHI.
General chit-chat in the staff kitchen may be harmless, but PHI should always be off-limits. Employees with access to patient PHI must be extremely cautious about the information they share with others. Keep conversations about PHI only with appropriate personnel and behind closed doors.
- Theft or loss of devices.
Devices not stored in a secure location at all times may be lost or stolen. If the information on such a device is not password protected or encrypted, it will be a serious and severe issue.
- Employee dishonesty.
When employees try to access PHI they are not authorized to view – although not done with malicious intent – it is seen as a HIPAA violation. It may be merely out of curiosity, but the punishment is the same. Thorough training on who may access what and the consequences that will follow can help prevent these incidents.
The HIPAA law affects just about everyone in the healthcare world in many ways. Compliance with the law is essential to avoid penalties and criminal indictments. Although HHS and OCR do not endorse certification, it can be beneficial for your company to become certified. It ensures that your staff is trained effectively and that your company is compliant with HIPAA rules and regulations.