Anyone who handles medical information has probably heard the horror stories about what happens when protected data falls into the wrong hands.
There is, for instance, the $16 million settlement that health insurance giant Anthem is paying in response to the largest U.S. health data breach in history.
In that case, hackers sent spear phishing emails to an Anthem subsidiary, where at least one employee responded to a fraudulent email and opened Pandora’s box for continued attacks. An investigation later found that the data breach — which was active from December 2, 2014 through January 27, 2015 — affected 79 million people and led to the theft of personal information, such as names, social security numbers, addresses, email addresses, and dates of birth.
And that record-high settlement was only one of the 11 fines — totaling $28.7 million — levied last year against businesses, organizations, insurers, and healthcare providers that are entrusted with sensitive medical information.
These real-life cases underscore how important it is for businesses that receive, process, handle, or store medical records to comply with the Health Insurance Portability and Accountability Act of 1996.
This law, commonly abbreviated as HIPAA, outlines required security and privacy protections for medical records. Complaints of potential HIPAA violations are investigated by the Office for Civil Rights at the U.S. Department of Health and Human Services, which can impose stiff fines and even prison time, depending on the circumstances.
Who must comply with HIPAA?
- HIPAA covers specific industries and people, including healthcare practitioners and insurers as well as their “business associates.”
- The business associate classification generally applies to contractors, partners, or vendors who have access to protected health information — commonly abbreviated as PHI — while performing their work with or on behalf of a company explicitly covered by HIPAA.
- The classification can even apply to “a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate,” according to the U.S. Department of Health and Human Services.
- A business associate agreement (BAA) with a form building and sharing solution allows you to collect sensitive medical information without worrying about how that information is stored, handled, or processed.
A BAA outlines the risks and responsibilities assumed by a private contractor or subcontractor, such as a form builder, as well as how it adheres to HIPAA. Essentially, it serves as a legally binding promise by a vendor to provide HIPAA-compliant services.
- Enhanced security and encryption standards serve as safeguards against data breaches.
It’s important to point out, though, that the U.S. Department of Health and Human Services has determined that encryption alone isn’t enough to protect ePHI, or electronic protected health information. All businesses covered by HIPAA must have additional safeguards in place, such as administrative assessments that gauge ePHI risks or physical protections for systems and servers that house ePHI.
- Built-in security controls can limit who is able to access ePHI, as well as stymie spammers who may be trying to access sensitive information.
- As an added benefit, these enhanced security measures can be leveraged to collect payments through HIPAA-compliant, third-party processors such as Square.
The risk of being the subject of a HIPAA complaint or simply falling out of compliance is scary enough to send chills up your spine and make your hair stand on end. But there are good ways to reduce those risks.
If you’re still using traditional paper or PDF files to collect information from your patients or clients, you may want to consider switching to a HIPAA-compliant online form solution. Online forms can not only automate your workflow but also ensure that your collected electronic data is safe — so long as you follow the proper administrative protocols. Give it a try today! Ditch the paper and save some trees in the process!