Patients often use social media to review and connect with their healthcare providers. However, healthcare providers don’t usually get fined $10,000 for responding to a patient online. How did a dental practice violate HIPAA’s standards with a single message?
After a patient posted a negative review of the practice on social media, the dental office posted a response that included the patient’s name, insurance information, and treatment plan. With one social media post, this dental office ended up with a $10,000 fine for violating HIPAA.
Breaching HIPAA regulations is serious, but how do you know if your business needs to comply with these regulations? In this post, you’ll learn what makes an organization a HIPAA covered entity and how you can stay compliant if you are a HIPAA covered entity.
What is a HIPAA covered entity?
A HIPAA covered entity is a business or person that transmits health information electronically for transactions covered by the U.S. Department of Health and Human Services’ (HHS) standards. For example, a doctor who sends a referral to another doctor would be a covered entity because she is transmitting protected health information (PHI). Covered entities include healthcare providers, health plans, and healthcare clearinghouses.
The HHS currently has standards for
- Claims and encounter information
- Payment and remittance advice
- Claims status
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payment
- Electronic funds transfer
- Electronic health care claims attachments
The list of HIPAA covered entities doesn’t stop with healthcare organizations. A non-healthcare employer could also be subject to HIPAA regulations. How? If a business offers self-funded or self-administered health insurance or certain types of wellness programs to their employees, they are considered a covered entity and are subject to HIPAA’s rules.
Is it possible for a business to handle PHI in partnership with a HIPAA covered entity and not be a covered entity itself? Yes, depending on the type of work being done.
If an institution performs specific duties that include using PHI on behalf of a covered entity, they are defined as a business associate. This definition applies to all companies, which means a covered entity that provides certain services to another covered entity would be considered a business associate in that situation.
HIPAA covered entities have to follow stringent legal regulations. If you’re a covered institution, how can you comply with HIPAA’s legal standards?
What do HIPAA covered entities need to do to stay legally compliant?
To respect your legal obligations to patients, you need to keep their data secure. This protects your company’s reputation and avoids lengthy legal battles. Let’s explore how you can keep the PHI in your possession secure.
- Limit PHI access to the patient and those who need it to perform their jobs. Encryption may be necessary for some forms of online communication that involve PHI. Health information that’s no longer needed should be disposed of securely.
- Train your staff on how to deal with PHI properly. The dentist office mentioned above would have avoided that $10,000 fine if the employee responding on social media was trained on how to comply with HIPAA rules.
- Respect the rights of your patients when it comes to their health information. Patients are entitled to their PHI when they need it. Patients have the legal right to withdraw consent and stop covered entities from using and transmitting their PHI.
- Get signed BAAs. You must have signed business associate agreements (BAAs) with companies, such as data conversion providers, answering services, and email providers, that will have access to the PHI in your custody.
Is your business a HIPAA covered entity?
The first step to protecting your business from HIPAA violations is understanding your legal obligations. Businesses or individuals must fit a certain description to be a covered entity. What are those qualifications?
- Is your business a healthcare clearinghouse? Clearinghouses process nonstandard health data into a standard form or vice versa. Healthcare clearinghouses automatically count as HIPAA covered entities.
- Do you provide healthcare? Healthcare providers, such as hospitals, dentists, and chiropractors, are all covered entities.
- Do you offer health plans or insurance? Health insurance companies are covered entities.
- Are you an employer that offers self-funded or self-administered health insurance to your employees? Providing that type of insurance makes you a covered entity. Employers are also an entity if they run certain wellness programs, employee assistance programs, medical reimbursement, or an onsite clinic.
Determining whether your business is a HIPAA covered entity is the first step to establishing the proper procedures and training programs to keep your organization compliant.
Following the rules for covered entities protects your business from legal trouble
HIPAA covered entities are subject to serious legal penalties for even inadvertent violations of patient privacy. Organizations that work hard to protect their patients’ privacy and security build trust and a better brand.
JotForm helps organizations collect patient information and stay HIPAA compliant. Our secure, encrypted forms prevent PHI from falling into someone else’s hands and give clients a seamless experience. Try our forms today.