Are you HIPAA Compliant?
Who needs to be?
Health care providers that transmit health information electronically, or use another party to do so on its behalf are required, by Federal Law, to be HIPAA Compliant.
Is there a penalty for non-compliance?
HIPAA penalties may be Civil, Criminal, Financial or Imprisonment. Improper use or disclosure of PHI (Private Health Information) can result in the following fines:
Civil monetary penalties for HIPAA privacy violations
are $100 per incident, up to $25,000 per person, per year, per standard.
A person who knowingly violates HIPAA and obtains IIHI
(Individual Identifiable Health Information) or discloses IIHI to another
person may be fined up to $50,000 and imprisoned up to 1 year, or both.
If the offense is committed with the intent to sell, transfer or use IIHI for commercial advantage, personal gain, or malicious harm, the fine may be up to $250,000 and imprisonment up to 10 years.
How would anyone know I’m not compliant?
Every vendor; payer; malpractice insurance company; personal-injury attorney; hospital; and health care provider is required to be HIPAA compliant, and most of them will require you to be as well. You will be asked to sign a "Business Associate Agreement" to demonstrate you are HIPAA compliant. Signing this agreement without being HIPAA compliant is fraud.
Will other providers refer me if I'm not HIPAA compliant? - Once other health care providers learn you are not HIPAA compliant, they are prohibited from referring patients to you and discussing patients with you without
specific written authorization.
My office doesn't need its own compliance manual -The HIPAA laws state clearly that your office is required to have "formal documented procedures" specific to your practice. These must include "core elements" of the HIPAA law, documented "required elements" and
documented "implementation requirements," as they apply to your practice. Your practice needs to have a list of the HIPAA requirements and how your office procedures comply with those requirements. This information must be documented in your compliance manual.
All I need to do is use the right HIPAA forms to be HIPAA compliant - The right forms are important, especially when revealing private patient information to others (such as personal-injury attorneys). However, just having the right forms doesn't satisfy the other HIPAA requirements, and it doesn't make your office HIPAA compliant.
My vendors don't have to provide my office with proof of HIPAA compliance - Besides other treating entities, every person and company you send or share patient health information with must sign a business associate agreement and possibly a "chain of
trust" agreement that requires them to comply with the HIPAA privacy regulations. It is your responsibility to be certain they are implementing the HIPAA privacy standards before you share patient health information with them.
I just need to know about HIPAA, I don't have to do anything else - This is one of
the worst misconceptions about HIPAA, and the most likely to lead the doctor into situations that could result in disciplinary action. Knowing about HIPAA is not enough. The HIPAA privacy and security requirements must be implemented into the doctor's practice as part of standard procedures utilized in the care of patients.