Staying compliant with every applicable rule and regulation implemented by the Health Insurance Portability and Accountability Act (HIPAA) is not easy. Nevertheless, compliance is a legal requirement for all parties officially designated as covered entities, as well as their business associates. Before discussing how the covered entities are affected by HIPAA regulations, let’s first take a quick look at which parties qualify as covered entities.
Who are the Covered Entities?
There are three broad classifications, under which all covered entities are enlisted automatically. These are as follows:
Health Plan Providers
Covered entities listed under the Health Plans section are health maintenance organizations (HMO), health insurance providers, employer’s health plans, and government-sponsored healthcare plans (Medicare, Medicaid, etc.).
Healthcare providers such as the following are common examples of covered entities, but they are not the only ones:
- Psychotherapists, counsellors, psychologists and psychiatrists
- Diagnostic clinics and healthcare clinics
- Hospitals and nursing homes
The definition of a clearinghouse is not exact, but it would include any third party in charge of processing non-standardized patient data related to patients and insurance claims into standardized, checked and corrected information. They are the third and final type of covered entities on whom the HIPAA standards apply.
Who are the Business Associates?
All applicable business associates must also comply with the established HIPAA standards, but only through association. These would be the companies and individuals who gain access to patient records, as a mandatory part of the services which they provide to covered entities. Medical transcriptionists, cloud storage service providers, medical record keepers, CPA firms, attorneys, consultants, bill collection agencies and medical equipment manufacturers are just some of the common examples of business associates.
What are the Penalties for Noncompliance?
Failure to comply with applicable HIPAA regulations is one of the most common insurance company errors. Depending on the specifics of a particular case, a noncompliant party would face either civil penalties or criminal penalties. General reputation, prior records, circumstances, damages caused, etc., play important roles in deciding how the guilty party will be penalized.
- $100 per violation (capped at $25,000 max) if the party was aware/should have been aware of the HIPAA laws they have broken
- Civil penalties can be avoided if the violations were not instances of willful neglect, and were corrected in 30 days or less
- Minimum to maximum fines for criminal violations range between $50,000 – $250,000 (inflation rate adjustments might be applicable)
- Compensating the affected patients and/or victims adequately may also be deemed mandatory, depending on the damages caused
- Possible prison time, ranging from a few months to 10 years, depending on the violations’ nature and effect
It should be noted that all mentioned parties only become a covered entity after they partake in transmission and/or exchange of health records during interactions and transactions. However, an exception can be cited if the transaction in question is not covered by one of the established HIPAA standards. However, such instances are now quite rare, since HIPAA standards have grown over the years to cover almost everything.