HIPAA Compliance: What Your Non-Profit Needs to Know
What is HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.
HIPAA & Nonprofits
HIPAA is most often discussed in the context of electronic data records. This is also the context that non-profits in the health sector have to deal with. When doctors switched to electronic health records, it became easier for patients to change doctors, visit the emergency room, and consult with specialists. Unfortunately, it also opened the door to new security risks.
This risk level means there’s a strong need for protection and regulation of electronic Protected Health Information, or ePHI. Non-profits that don’t comply could face thousands — if not millions — of dollars in fines. To prevent this, here’s what your non-profit needs to know about HIPAA and ePHI data.
How to Identify ePHI Data
If you have any of the following information about your clients, members or beneficiaries then you do need to follow HIPAA compliance:
- Any past or present health conditions — either physical or mental
- Any past, present, or future planned medical treatment
- Any past, present, or future payment information for medical care
Along with this data, each patient comes with identifiers that could connect the dots between the treatment and the individuals. There are 18 traits that HIPAA looks for to identify someone:
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
Who Are HIPAA Covered Entities?
The Office of Civil Rights (OCR) is the governing body of HIPAA. They created a chart that explains who is required to follow HIPAA regulations. These organizations tend to fall into three main categories.
- Health care providers — these include doctors, dentists, psychologists, clinics, and nursing homes or hospice care.
- Health insurance companies — including HMOs, company health plans, and government plans that pay for healthcare
- Health care clearinghouses
Not only is the main organization required to follow HIPAA guidelines, but business associates of the main body are also liable. As a non-profit, you might not have direct access to patients and their health information, but if you come into contact with any ePHI data and identifiers, you may be a business associate.
What Are the Consequences of Violating HIPAA?
LuxSci proposed an interesting case study that proves how challenging identifying ePHI and HIPAA violations can be. Let’s say a blood bank sends a newsletter offering treatment advice for recovering after donating blood. If the newsletter goes out to their entire mailing list and provides general advice for all patients, then HIPAA isn’t an issue. However, if the newsletter is sent exclusively to patients that had donated blood, then the non-profit is technically discussing past medical history that could be relevant to a doctor or something the patient is reluctant to disclose.
Like most legal and insurance issues, there is plenty of gray area when it comes to punishing HIPAA violators. In most cases, the judge will look at the intent and knowledge that the institution had at the time when the information was compromised. There are four levels of violation that a non-profit needs to be aware of.
- The organization did not know (and by reasonable diligence could not have known) that they violated HIPAA. This leads to a minimum penalty of $100 per violation.
- HIPAA was violated due to a reasonable cause, not due to willful neglect. This has a minimum penalty of $1,000 per violation.
- The HIPAA violation occurred due to willful neglect, but was corrected within a required time period. This has a minimum penalty of $10,000 per violation.
- The HIPAA violation occurred due to willful neglect and was not corrected. This has a minimum penalty of $50,000 per violation.
The maximum penalty for all four of these penalties is $50,000 per violation and an annual maximum fine of $1.5 million.
What Can Non-profits Do to Stay HIPAA Compliant?
Now that you know what data you need to protect, follow these steps to make sure you’re doing everything in your power to keep information safe from the hands of hackers.
1. Talk with your database provider and cloud storage company about HIPAA compliance. These professionals should understand the requirements to maintain secure platforms for information and work to keep them safe. Remember, if you handle medical information, they are considered associates and both of you are liable if data is breached. (Sumac is one of the databases that is HIPAA compliant).
2. Set up encryption for accessing ePHI data. This means assigning unique usernames and passwords, only allowing staff to access the data on a secure network, and investing in added encryption technology for your systems.
3. Restrict access of patient and beneficiary information to a few employees. This means access on a digital level where only a few have login and password credentials to get to the data, along with physical access to server rooms and any printed files.
4. Keep records of file access and and tracking. By auditing these files, you can see who accessed patient information when, and identify any suspicious activity or security breaches.
5. Create a plan for security breaches. Every company that has access to ePHI data should have a plan for all potential failure scenarios and how they will be fixed. Creating and executing these plans could be the difference between a level four or level three violation, saving your non-profit millions.
People tend to think about HIPAA violations in a grand sense where large amounts of patient information is stolen by a mysterious hacker-mastermind. However, a HIPAA violation can be as simple as sending patient records to the wrong email, or an intern taking a peek at a file they shouldn’t look at. In all cases, it’s the role of the non-profit to act swiftly to correct the security breach and make sure it never happens again.