In recent months, we’ve devoted a good deal of blog space to the Payment Card Industry Data Security Standard (PCI DSS) and the importance of “sticking” to it. But for healthcare providers, remaining compliant with the Health Insurance Portability and Accountability Act (HIPPA)—which lays out a set of physical, network, and process security standards that must be met to safeguard patients’ protected health information (PHI)—is just as critical.
Big Financial Risks
Failure to comply with HIPAA brings big financial risks, including fines and penalties as well as potential legal action, such as class action lawsuits and jail time. These risks apply even if an entity is unaware that it is in violation of HIPAA.
Here’s a breakdown of fines and penalties for violating HIPAA, from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). On the civil penalties front, willful violations of HIPPA cost guilty parties a mandatory fine of $50,000 per violation. Violations found to have resulted from negligence, rather than willful neglect, are penalized at up to $50,000 apiece. And even in situations where there was no negligence and a HIPAA violation was entirely innocent, entities are assessed a fine of at least $100 and up to $50,000 per violation.
Meanwhile, when it comes to criminal charges and jail time for violating HIPAA, any individual who knowingly commits data theft or healthcare fraud—whether out of maliciousness or with criminal intent—can receive a jail sentence of up to 10 years. Obtaining PHI by using false pretenses is a punishable by up to five years in prison. Even criminal HIPAA violations that are simply due to negligence can land HIPAA violators up to one year in prison.
But significant financial and other penalties aren’t the only factors that make a case for HIPAA compliance. Relationships with patients are also at stake here. Patients are becoming increasingly concerned about the privacy of their data, and media coverage of data breaches in seemingly every vertical market are fanning the flames. It’s likely that just as consumers are seemingly less apt to do business with merchants that have been exposed as careless with their data, they will be less inclined to seek healthcare with providers that do not adhere to HIPAA.
Look at it this way: Being HIPAA-compliant means that a healthcare provider has adequate measures in place to protect patient data. This compliance engenders patient trust–and since trust is the backbone of every business entity, patients are more inclined to choose and stick with a healthcare provider they trust.
There’s no question that following the steps outlined in another E-Complish blog will be instrumental in helping healthcare entities avoid running afoul of HIPAA. However, it’s also important to work with HIPAA-compliant payment solutions and services providers to ensure compliance.
Payment solutions and services providers undergo stringent annual security assessments by a third-party firm to assess and certify their compliance with HIPAA. Each assessment involves a comprehensive review of not only providers’ policies and procedures, but also everything from network and data flow diagrams, physical and environmental security measures, and disaster recovery backup processes.
What’s more, third-party HIPAA assessments also entail a close look at the way payment solutions providers handle vulnerability management. penetration testing, system hardening standards, and other pertinent areas. Patch management; access control; data storage, logging, and auditing; security monitoring; and incident response are part of the assessment as well.
E-Complish is fully HIPAA-compliant and works with its healthcare provider clients to maintain their own HIPAA-compliant status. Click here to learn more or schedule a consultation.