The federal government has strict rules about personal health information. Insurance carriers assume much of the responsibility, but many organizations are just as responsible. The financial penalties for revealing personal health information might be surprising, so it’s important to know where you stand.
“The level of responsibility depends on how the plan is funded,” says Amber Hulme, Medical Mutual Vice President, Central and Southern Ohio. “But every organization should know how the privacy rules work, so employees can feel good about the safety of their health information.”
Smart Business spoke with Hulme about how the privacy rules help protect health information, what types of penalties organizations can face for not complying and how to make sure their employees’ health information is protected.
Which privacy laws protect health information?
The first was the Health Insurance Portability and Accountability Act (HIPAA). Congress passed HIPAA in 1996 to set standards for insurance carriers and other covered entities and make sure people’s protected health information (PHI) stays confidential. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed to widen the scope of the privacy and security protections under HIPAA. HITECH made the covered entities more liable and increased government enforcement.
What kind of information qualifies?
A wide range of personal health information is protected by law, such as doctor’s notes, claim status, payment information and coordination of benefits. But even when information doesn’t specifically reference a person’s health condition, it can still be considered PHI.
Under HIPAA, PHI also includes information that identifies the individual and references how their care was paid for and provided. So any data that meets the right criteria is protected just as much as a full medical record. A person’s name and Social Security number can be considered PHI when it’s tied to payment for medical care.
What types of organizations does HIPAA affect?
HIPAA rules affect organizations that are fully insured through their insurance carrier, as well as those that have self-funded health plans and pay their own claims. But there are important differences in terms of actual responsibilities.
For example, the insurance carrier is considered the covered entity when the organization has a fully insured plan and does not have access to PHI. But when they are self-funded, organizations often have to handle the kind of sensitive information that is protected by HIPAA to help administer their plan. In those situations, self-funded organizations are directly liable to the government if anything goes wrong.
What are the penalties for an unauthorized disclosure?
It depends on the number of people involved and how it’s handled. If the organization is a covered entity and was unaware an incident occurred, the penalty could be as low as $100 per violation. But the amount increases significantly if it’s determined there is reasonable cause or willful neglect involved. In those cases, covered entities can face penalties of up to $50,000 per violation or more depending on the number and the nature of the violations.
How can organizations help protect health information?
Again, it depends on the health benefits’ structure. If they are fully insured and don’t directly handle this type of information, it’s just important to ensure they have a good relationship with their insurance carrier and understand policies and procedures for handling PHI.
Self-funded organizations often do handle PHI, so they need to be vigilant. They should only allow employees to access certain information if they need it to do their jobs. It’s also important to know how soon their plan administrator will tell them if a breach occurs so they can send the required notices. This should all be outlined in their business associate agreement, but it’s a good idea to check if they aren’t sure.
Insights Health Care is brought to you by Medical Mutual
