The Health Insurance Portability and Accountability Act (HIPAA) establishes certain minimum requirements for the protection of patient health information. So, for example, restrictions on how your doctor keeps electronically stored medical records, and the specific circumstances under which they can disclose that information to a third party, are governed by HIPAA. Unknown to many businesses, however, are HIPAA requirements that often extend beyond a doctor’s office, and can hold a number of other entities accountable (including imposing stiff monetary penalties) for how they keep and process medical information.

HIPAA coverage extends, inter alia, to any (1) healthcare provider that (2) electronically transmits health information in connection with certain transactions, typically including financial or administrative activities related to healthcare.  The regulations define a healthcare provider broadly to include not only institutional healthcare providers and physicians, but therapists, aides, suppliers, pharmacies, and individuals or organizations that furnish or are paid for healthcare services or supplies in the normal course of their business. In other words, entities that provide these services or supplies, and then electronically transmit health information as part of billing or referral processes, are likely covered by HIPAA’s requirements. 

These requirements can be burdensome, including strict standards for how an entity handles protected health information. Rules set forth by the U.S. Department of Health and Human Services (HHS) detail a number of safeguards related to administrative, physical, and technical security standards. Moreover, HHS privacy rules cover not just the protection of patient information, but standards for how companies must respond to a breach. 

Companies who handle health information in any form should always conduct a full audit to confirm whether their business falls within HIPAA’s purview. After all, the penalties for a HIPAA violation can be steep, ranging from approximately $100 to $50,000 per violation. In one instance, a $125,000 fine was levied against a doctor’s office for a doctor disclosing patient information to a news outlet (following instruction not to respond to the media). The office then took no steps to discipline the doctor or take corrective action. In another recent instance, HHS levied a $100,000 fine against an electronic medical record provider following discovery that the company had not conducted a comprehensive risk analysis prior to a data breach.
 
For assistance with HIPAA compliance, please contact a member of PilieroMazza’s Labor & Employment Group. The Group also offers preventive training sessions, which can be tailored to meet your company’s specific needs.
 
Sarah Nash, the author of this blog, is a member of PilieroMazza’s Labor & Employment Group.