HIPAA Violations

A $1.5 million fine is nobody’s idea of a good time, even less so spending ten years in prison. These are the maximum penalties a person or business can face under new legislation for HIPAA violations, a very pertinent topic for those working in the medical billing and coding profession. If you are unwittingly careless, you may find yourself facing a HIPAA fine for exposing certain information about your clients. Even at $100, the minimum fine for such violations is still worth avoiding.

The legal basis for HIPAA violation penalties naturally goes back to the signing into law of the Health Insurance Portability and Accountability Act in August of 1996. Since then there have been several additional pieces of legislation and addenda affecting the implementation and enforcement of HIPAA – notably the American Recovery and Reinvestment Act of February 2009 which established a tiered penalty system for HIPAA violations – with the most recent being the Final Rule, issued by the Office for Civil Rights of the US Department of Health and Human Services. This Final Rule has had the effect of expanding liability to those involved in the medical billing and coding profession.

Under current legislation, medical billing and coding professionals need to be aware of two key phrases, “Covered Entity,” (CE) and, “Personal Health Information,” (PHI) also referred to as Protected Health Information.

FIND SCHOOLS
Sponsored Content

Covered Entity refers to three primary groups: health care clearinghouses, health care plans, and health care providers. Billing and coding professionals can be considered to be part of health care clearinghouses, and because of the Final Rule, business associates of any of these three groups can be held liable for HIPAA violations. In other words, health care providers are also liable for HIPAA violations by a contracting billing and coding business.

Personal Health Information refers to any information in a medical or designated record that can identify a person during or after a course of treatment. This includes:

  • Account numbers
  • Phone numbers
  • Any numbers having to do with dates (admission, birth, discharge), except those designating years
  • Phone numbers, email addresses, and street addresses
  • Biometric identifiers

What You Can Do

As a medical billing and coding professional, you can face civil and criminal penalties if you willingly, accidentally, or through carelessness expose the personal information of someone who has received health care services. Probably the best thing you can do to avoid making HIPAA violations is to always keep in mind that the data you are dealing with is confidential, and treat it as such by only working with it in a secured environment.

The minimum fine of $100 can be assessed if the person in violation did not reasonably know he or she was in violation of the Act, and no penalty will be assessed if the situation is corrected within 30 days. A $1,000 penalty is the next level of assessment, for those who violate HIPAA with reasonable cause that is not due to willful neglect. Said differently, if you are careful and make an effort to not make any breaches of HIPAA, you will most likely be okay and in the worst case face a $100 fine.

If it does happen that you find you have breached HIPAA, you will need to go through a short procedure that includes reporting the violation to both the patient and government. To notify the patient, you will need to send the following either by mail or email (if previously approved for communication by the patient) within 60 days:

  1. Description of what happened
  2. Date of the violation and when it was realized
  3. What private information was disclosed
  4. An apology and description of what is being done to investigate
  5. Your contact information

To make a report to the federal government, you will need to fill out an online form with the Health and Human Services Office for Civil Rights, either at the same time you notify the affected patients if they number more than 500, or 60 days after the calendar year in which the violation occurred if the number of patients involved is 499 or less.