The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national privacy, security and breach notification standards with respect to certain patient information. An experienced lawyer can help you understand if HIPAA applies to your company and what your obligations are under the rules. You may need to comply with complex restrictions on the use and collection of information, security requirements, and standards for individuals' privacy rights. Priori can connect you with a HIPAA lawyer on-demand to ensure you're in compliance with all relevant rules.
HIPAA’s Privacy Rule addresses the use and disclosure of individual’s protected health information (PHI) by organizations considered covered entities, as well as their business associates. PHI refers to all individually identifiable health information held or transmitted in any form or media, whether electronic, paper or verbal.
The rule also addresses standards for individuals’ privacy rights regarding how their health information is used. For example, the disclosure of of health information needed for patient care and other important purposes is permitted. The HIPAA privacy rule is generally not, alone, sufficient for understanding your obligations under the act. You should also be familiar with the security rule.
The Security Rule establishes a national set of security standards for protecting health information that is held or transferred in electronic form. The Security Rule establishes the safeguards, technical and non-technical, that covered entities must implement to secure individuals’ electronic protected health information (e-PHI).
Who is Affected?
The HIPAA Privacy Rule applies to “covered entities” and their business associates and gives patients an array of rights with respect to that information.
HIPAA rules apply directly to health plans, health care providers (such as doctors) and health-care clearinghouses. These parties are considered “covered entities” because they directly receive health care information from patients. The Center for Medicare and Medicaid Services offers a guide to determine whether you are a “covered entity.”
Covered entities have quite a bit of authority to disclose employee health information for purposes of treatment. For other purposes, the information disclosed must be the minimum necessary to achieve the purpose for which the information was released.Covered entities also may also release employee health information as required to comply with worker’s compensation laws.
If a covered entity engages a business associate to help it carry out its health care operations, the covered entity must have a written contract or other arrangement with the business associate that establishes the details of the engagement and requires the business associate to comply with the HIPAA Rules. These details will include safeguards to the disclosure of PHI by either party. Business associates can include companies like software vendors and accounting firms.
You can download a free template of a business associate agreement in Priori's Legal Document and Form Learning Center.
Impact on HealthTech Startups
If you are launching a HealthTech startup, you should consider consulting a lawyer to understand whether you could be considered a “covered entity” or a business associate. Understanding your obligations is critical as HIPAA liability is linked. This means that if your startup experiences a security breach, upstream partners like hospitals are also held liable for the violation. Working with an experienced lawyer to demonstrate strict HIPAA compliance can demonstrate that your company is serious about security and privacy, making you a trustworthy partner for larger covered entities.
HIPAA is related to human resource concerns because employers often seek employee health information (including billing, payment, treatment, health care plan enrollment status, etc.) for purposes related to worker’s compensation, health insurance, the Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA). Under HIPAA, the employer may face issues relating to the process for obtaining medical information for its employees unless the employer itself is classified as a “covered entity” under HIPAA. Although HIPAA does not restrict an employer from re-disclosing to third parties any information that it received under HIPAA, other state and federal laws may prohibit such disclosure.
HIPAA Requirements & Violations
The most common HIPAA violations include:
Authorization expiration violations. An employee authorization may include an expiration date for the release of information, with which the entity seeking the information must strictly comply;
Unauthorized release. An employee may designate a specific contact person to whom information may be released, and this restriction must be honored; and
Improper records disposal. Shredding (of paper records) or deletion of all copies (of digital records) is needed when an employer or covered entity is disposing of records.
Protect your business by working with a HIPAA lawyer to make sure you understand your obligations and comply with them.
Depending on your needs, the cost of HIPAA compliance can vary significantly. When you hire a lawyer in the Priori network, typical costs range from $5,000 to $10,000 to put together a full compliance package. Hourly rates are generally between $200 and $450 per hour. In order to get a better sense of cost for your particular situation, put in a request to schedule a complimentary consultation and receive a free price quote from one of our lawyers.
What happens if I don’t comply?
HIPAA violations are punishable by both civil and criminal penalties under the American Recovery and Reinvestment Act of 2009. Even if an accidental disclosure occurs without negligence on the part of the disclosing party, the minimum fine is $100 per violation, up to a maximum of $50,000 per violation, and a yearly maximum of $1.5 million.
What are some permitted uses and disclosures of PHI for covered entities?
General permission for disclosure include: disclosure to the actual patient; disclosure for treatment, payment, and care by the covered entity; and disclosure for public benefit. Other types of disclosure may require written authorization from the individual in question. It is best to consult with a lawyer about what types of disclosure are permitted to avoid any ambiguity or risk a severe penalty.
How do I design my security measures?
The HIPAA security rule requires entities to design measures that are specific to their unique circumstances. You should consider variables including your entity’s size and complexity, your technical infrastructure, including software and hardware, and both the likelihood and impacts of any breaches. A lawyer can best help you assess your company’s unique needs and how best to design measures that comply with HIPAA.
What are examples of covered entities?
Covered entities include health plans, health care providers, and health care clearinghouses, each of which have slightly different obligations under HIPAA.
- Health Plans. Individual and group plans that provide or pay the cost of medical care are covered entities. These include health insurance companies, health maintenance organizations (HMOs) and long-term care insurers. Medicare and Medicaid insurers fall also under this category. In addition, employer-sponsored and church-sponsored health plans are considered covered entities.
- Health Care Providers. The HIPAA Privacy Rule requires most doctors, nurses, pharmacies, hospitals, nursing homes and other health care providers to protect the privacy of patients’ individually identifiable health information. These providers must transmit health information electronically for standard transactions, such as claims and benefit eligibility requirements.
- Health Care Clearinghouses. These are entities that process health information. The services they provide often include billing, reprising, or community health management, which require converting standard and non-standard information.