It goes without saying that if you have ever dealt with or thought about HIPAA, you have figured out there is a lot of jargon that goes along with it. The following article will discuss some HIPAA basics.
The Health Insurance Portability and Accountability Act – simply known as HIPAA – protects individually identifiable health information (IIHI). There are three requirements to consider information to be IIHI:
When IIHI is maintained or transmitted in electronic form, it is called protected health information (PHI). HIPAA created certain privacy and data security rules to regulate the collection, use, disclosure, and protection of PHI.
Generally, covered entities, such as health care providers, must only collect, use, and disclose the minimum amount of PHI necessary to accomplish a transaction. The HIPAA Transactions Rule mandates compliance with uniform standards for some electronic transactions using PHI. Covered entities must also create data security procedures, policies, and protocols to protect PHI. Both covered entities and business associates (we covered this term here What's Hip with HIPAA? Covered Entities and What's Hip with HIPAA? Business Associate Agreements) must notify individuals if there is a security breach.
Violations of HIPAA include both civil and criminal penalties. Civil penalties may range from $100 to $1.5 million for each type of violation. Criminal sanctions can include up to $250,000 and 10 years in prison, depending on the circumstances. However, multiple violations have the potential to drive penalties much, much higher – as demonstrated in this $5.5 million settlement case.
For almost 20 years Kim Lowe has lawyered from the trenches. Kim lawyers from experience, using her knowledge of the law and understanding of how both for-profit and nonprofit business enterprises operate.
Emilee Walters is a second year law student at St. Thomas School of Law. Emilee is an Avisen Fellow exploring a legal career in business law.