HIPAA at a Glance

HIPAA or the Health Insurance Portability and Accountability Act is a set of practices that govern the privacy of individual health records. You may have heard of data sets that would be covered under HIPAA such as Personally Identifiable Information, Electronic Protected Health Information, or Protected Health Information (PII, ePHI, and PHI).

How Does HIPAA Impact Your Business

Businesses are expected to adhere to some specific rules, categorized as:

  • Privacy Rule
  • Security Rule
  • Transactions Rule
  • Identifiers Rule
  • Enforcement Rule

The Privacy Rule addresses how PHI and medical records of individuals may be used or disclosed with and without patient authorization. The Privacy Rule also addresses how the patient can obtain a copy of their record and request corrections. The Security Rule provides a set of Administrative, Physical, and Technical safeguards that the practice must implement to protect ePHI. In these two areas alone, the business must be ready to measure, monitor, and reduce risk to ePHI through the implementation of various technologies and practices that often have associated costs to the business.

What Is Considered PHI

Under HIPAA, PHI is any information about health care, health status, and payment for health care that can be linked to the following 18 identifiers:

Names Social Security Numbers
Phone Numbers Fax Numbers
Email Addresses Web URLs
Account Numbers Health Plan Beneficiary Numbers
Full Face Photographic Images Biometric Identifiers
Vehicle VIN Numbers and License Plates IP Address Numbers
Certificate/License Numbers Device IDs and Serial Numbers
Medical Record Numbers Any Other Unique Identifying Number
All elements of dates (except year) that are directly related to an individual All geographical subdivisions smaller than a state

What Fines Come with Ignoring the Rules

The following are primary tiers as provided by the HIPAA Journal concerning HIPAA violations:

Tier 1 Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA Rules had been violated

  • Penalty: $100 – $50,000 per violation with a maximum of $1.5 million per year

Tier 2 Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence

  • Penalty: $1,000 – $50,000 per violation with a maximum of $1.5 million per year

Tier 3 Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery

  • Penalty: $10,000 – $50,000 per violation with a maximum of $1.5 million per year

Tier 4 Willful neglect of HIPAA Rules and no effort made to correct the volition within 30 days of discovery

  • Penalty: $50,000 per violation with a maximum of $1.5 million per year

Note that there is an emphasis on exercising reasonable due diligence in Tier 1 and 2. If the entity decides not to exercise due diligence and are aware of the violations, then it could place them in Tier 3 or 4 category because of willful neglect. Knowing where the gaps are is half the battle, and ensuring you have a healthy plan of action can help you save a lot of money in the event there is an issue.

What You Can Do Today

If you do not know where you stand concerning meeting the requirements as laid out by HIPAA or have not performed a recent Risk Assessment, you should seek to work with a qualified entity that can help you understand the risks and ensure you are exercising reasonable due diligence in identifying problems.

Corsica Technologies has trained and certified IT Auditors ready to tackle the complex problems that any compliance requirement brings, and they can help you understand the gaps you may have with those requirements in simple terms. Don’t wait to get stuck with hefty fines and poor publicity before choosing to take action.

Contact us today for a HIPAA Compliance Assessment!

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

MDM vs. MAM: Which one is right for you? - Corsica Technologies

MDM vs. MAM: Which One Is Right For You?

How should you handle mobile devices that have access to company data and systems? This is a crucial question for today’s on-the-go, hybrid workforce. Maybe you give your team company-owned mobile devices. Or perhaps your employees find it more convenient

Read more
Managed Network Services - Everything You Need to Know - Corsica Technologies

Managed Network Services: Everything You Need To Know

For overworked IT teams, managed network services are a lifesaver. Rather than monitoring network logs, troubleshooting switches, and working overtime to mitigate vulnerabilities, you can engage a trusted partner to manage your network for you. But not all providers are

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.