If you’ve been to any type of health care provider for a check-up since 1996, you will likely recall signing a document that either denies access or gives certain people (e.g., a family member or friend) permission to accept phone calls or receive other medical information about you. That’s a HIPAA release form.
Here, we’ll explain what HIPAA is, how it applies to non-medical businesses, and how your company (even if it’s not a healthcare facility) can stay on the right side of the law.
What is HIPAA?
The Health and Insurance Portability and Accountability Act (HIPAA… not HIPPA) is a law enacted in 1996 to, in part, prevent patients’ protected health information (PHI) from being released without their permission or knowledge. Compliance is required by covered entities such as healthcare providers and health insurers (commercial and employer sponsored), as well as those entities’ business associates such as transcriptionists and health care clearinghouses that standardize information into usable data for the Department of Health & Human Services (HHS).
Of course, most people equate HIPAA violations with medical offices and facilities. While these providers are the most widely reported violators, business associates that have absolutely nothing to do with medicine can also be fined.
What is a Business Associate?
Business associates are companies that perform diverse types of services on behalf of HIPAA covered entities, including:
- Actuarial services
- Medical benefits management
- Data aggregating, analysis, and transmission
- Insurance utilization review
- Medical billing
- Medical practice management
- Electronic medical records (EMR) management
- Processing insurance claims
What HIPAA Obligations Do Business Associates Have?
Business associates are held to the same rigorous HIPAA compliance standards as covered entities. Covered entities are required to maintain contracts outlining HIPAA standards with their business associates to help ensure patient data is safeguarded. In turn, business associates must also have written contracts with any subcontractors that they hire.
What Are Hybrid Entities?
A hybrid entity performs both non-HIPAA-related and HIPAA-related tasks. For example, a professional services company that provides an onsite medical office for the benefit of its employees would be considered a hybrid entity. The physician and staff might be employed by the company, but the medical office itself remains separate and is the only covered entity. Another example is a grocery store that has a pharmacy inside. With hybrid entities, only the part of the company that is considered a covered entity is required to comply with HIPAA regulations.
Does HIPAA Apply to Employers?
Medical records that are frequently found in a workplace include:
- Documentation for Family and Medical Leave Act (FMLA) certifications
- Americans with Disabilities Act (ADA) accommodation requests
- Physician’s notes that are required to comply with paid time off policies
While these documents often contain personal health information, under HIPAA guidelines, they’re considered employment records and not medical records.
HIPAA also doesn’t prohibit an employer from:
- Requesting a doctor’s note for an absence
- Requesting information relating to healthcare coverage or wellness programs
- Asking for proof of COVID-19 vaccine or test results
Examples of HIPAA Violations by Employers
Any company that wants to steer clear of potential workplace HIPAA violations needs to properly guard the PHI they’re responsible for.
A HIPAA violation occurs when a person’s PHI at a covered entity or business associate has fallen into the wrong hands, whether willfully or inadvertently, without that person’s consent. The major challenge for non-medical business associates is twofold:
- They may not be aware that HIPAA applies to them; and
- If they are aware, their employees may not be well-trained in the ins and outs of the law, leaving them vulnerable to infringing on patients’ privacy rights.
In 2020, the U.S. experienced 1.76 data breaches of 500+ healthcare records every day, netting more than 29 million exposed records (HIPAA Journal). These are the three most typical HIPAA workplace violations that are found in healthcare organizations:
Lost or Stolen Devices
At most businesses, losing a work phone or laptop is somewhat of a big deal, but not as huge a deal as it is for businesses that are covered by HIPAA. Covered entities are more frequently using mobile devices to communicate about patients, so PHI data breaches resulting from loss and theft are more common than you may think. Fortunately, the increased use of encryption and cloud services for data storage have helped reduce the number of loss and theft incidents.
Unsecured Patient Information
Employees who handle sensitive patient data need to know where records are stored at all times. For instance, if an employee has patient records open on their desktop computer and leaves for lunch without locking their screen, someone could easily access them, which is enough to violate HIPAA rules. And even if employees are diligent about locking their workstations, strong password protection is just as critical.
Inadequate Employee Training
If you’re a covered entity or business associate, your employees can unintentionally leak PHI and result in your business being fined. Consider these situations:
- An employee discusses something unusual they read in a patient’s medical record with another employee in a break room full of other staff members
- A new employee in your billing department sends a detailed medical bill to the wrong mailing address
- An employee posts a story about a patient to their Facebook page
What Happens if a Business Violates HIPAA?
The Office for Civil Rights (OCR) is the investigating arm within the U. S. Department of Health and Human Services (HHS) that manages HIPAA violation complaints. The penalty for a HIPAA violation depends on its severity. In something of a departure from its federal department counterparts, the OCR would rather not punish violators with fines, instead preferring to offer guidance and education. But if a violation is severe enough, financial penalties will be imposed.
OCR has four categories of penalties, and the financial amounts are adjusted annually for inflation:
- Tier 1: The covered entity or business associate was unaware of and couldn’t have avoided a violation. Minimum fine of $100/violation up to a maximum $50,000.
- Tier 2: The covered entity or business associate should have been aware of but couldn’t have avoided a violation. Minimum fine of $1,000/violation up to a maximum $50,000.
- Tier 3: The covered entity or business associate willfully neglected HIPAA rules and attempted to correct the violation. Minimum fine of $10,000/violation up to a maximum $50,000.
- Tier 4: The covered entity or business associate willfully neglected HIPAA rules but did not attempt to correct the violation. Minimum fine of $50,000/violation.
What are examples of HIPAA violations?
Some examples of HIPAA violations include:
- An emergency department employee posting a photo to social media without obscuring the faces of the people in the photo.
- A nurse sharing a hospitalized patient’s medical history with an unauthorized family member.
- Disposing of sensitive medical documentation without appropriately shredding it first.
What happens if an employer violates HIPAA?
If an employer is a covered entity or business associate and they violate HIPAA rules, they can be fined depending on the level of violation listed above.
Can an employee violate HIPAA?
Yes. If an employee works for a covered entity or business associate, it’s possible for them to violate HIPAA rules.
Can an employer be sued for a HIPAA violation?
No, an individual cannot sue their employer for violating HIPAA, as any medical information stored is considered part of the employment record and not protected health information. If the employer is a covered entity or business associate, and an individual feels a violation has occurred, the individual should file a complaint with the Department of Health and Human Service’s Office of Civil Rights.