HIPAA, The Health Insurance Portability and Accountability Act of 1996 and related federal regulations, address the privacy and security of protected health information (PHI). PHI is protected by the U.S. Department of Health and Human Services’ (HHS) enforcement of the HIPAA Privacy Rule and Security Rule. Enforcement by HHS includes the ability to impose fines on those who violate the law.Already

Among other things, HIPAA requires covered entities to protect against the unauthorized disclosure of electronic PHI such as names and Social Security numbers. Generally, covered entities are health care providers, health care insurers, and health care clearinghouses.

In one case this year, HHS imposed fines as high as $4.3 million for HIPAA violations where a covered entity failed to encrypt a laptop and two USB drives that later were stolen resulting in disclosure of PHI for almost 35,000 people. In its decision, the HHS Departmental Appeals Board emphasized that HIPAA’s requirements aren’t optional. Unless compliance legitimately isn’t feasible, even seemingly-minor violations can lead to hefty fines.

Business associates of covered entities must comply as well. These typically are people or companies that contract with covered entities to provide services involving the exchange of PHI, and they can include IT professionals, attorneys, accountants, and many others. Because business associates typically aren’t medical providers, their need to be HIPAA-compliant may not always be obvious. But small missteps can result in massive penalties; for example, the theft of one unencrypted smart phone resulted in HHS’s imposing a $650,000 fine against a non-compliant business associate.

If it’s unclear whether your business must be HIPAA-compliant, don’t bury your head in the sand. Instead, call us to discuss whether you have any HIPAA-compliance responsibilities. We’d be delighted to assist you.