The Health Insurance Portability and Accountability Act (HIPAA) provides standards on the lawful use and disclosure of protected health information – This includes names, addresses, phone numbers, Social Security numbers, medical records, financial information and more.
Any organization that collects, creates, or transmits this information electronically (a “covered entity”) must comply with HIPAA. So too must “business associates” that encounter this information, including billing companies, storage providers, email hosting services, attorneys, accountants and many more.
HIPAA regulation requires compliance with a number of standards:
Self-audits to assess administrative, technical, and physical gaps in compliance
Documented remediation plans to reverse compliance violations
Regularly updated policies, procedures and employee training
Documentation of ALL efforts to become HIPAA compliant
Business Associate Management including agreements before ANY information is shared
Incident Management to document any data breach
HIPAA violations are fined on a sliding scale ranging between $100-$50,000 per violation which can include a single record, this could amount to $1,500,000 in fines per year for an identical provision. However, if there was no “good faith effort” to comply, fines can become astronomical, and negligence could even lead to a criminal offense with a year of jail time.
CyGov has integrated HIPAA and mapped this standard back to other frameworks and standards, this helps save time, ensure accuracy and creates peace of mind when handling PHI.