HIPAA compliance for US nonprofits is criticalSince the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, organizations throughout the U.S. have been acutely aware of the need to protect the privacy and security of health information. At first glance, it's easy to think HIPAA affects only healthcare providers. However, that isn't necessarily the case.
Find out if HIPAA compliance is required for your nonprofit — and what that means for your organization's processes.
What do HIPAA standards address?
HIPAA established the first national standards for protecting personal health information, preventing the unauthorized sharing of that information with those who don't legally need to know it.
For example, because of HIPAA, health information can't be provided to anyone — including employers — without the consent of the individual in question. This includes information in medical records, billing information and conversations regarding medical treatment. HIPAA also gives individuals the right to view and receive copies of their health information and to be notified when the information is used and shared.
HIPAA is made up of different components that regulate how certain types of organizations are required to handle health information. For example:
- The Privacy Rule governs who has access to protected health information and restricts how any company working with sensitive patient data must ensure the confidentiality, availability and integrity of that data.
- The Security Rule specifies a series of administrative, technical and physical security procedures to assure the confidentiality, integrity and availability of electronic protected health information.
- The Health Information Technology for Economic and Clinical Health Act (HITECH) more clearly defines proper interaction with electronic protected health information, allows for more stringent enforcement, and increases the liabilities of companies subject to oversight as well as noncompliance fines.
How do HIPAA standards apply to nonprofits?
HIPAA standards apply to two broad categories of organizations: covered entities (any healthcare provider, health plan or healthcare clearinghouse) and business associates (any company that comes in contact with electronic protected health information, including employers that offer group health plans).
Whether or not your nonprofit needs to be HIPAA-compliant depends on the nature of your organization. As a rule of thumb, compliance is necessary if your nonprofit interacts with health information in any way. For example, compliance is required if your nonprofit:
- Provides health insurance to employees
- Provides health care services
- Provides services to clients or organizations in the health care field
- Requests medical information from clients or volunteers
While organizations such as life insurance companies and schools don't fall under HIPAA laws, access to protected health information still requires consent from the individual. Exceptions are made in certain circumstances, such as:
- If required by law, court order, public health officials or the FDA
- In cases of abuse or domestic violence
- To assist government actions
- To help in disaster relief efforts
But even then, stringent rules apply. The information shared must follow minimum necessary standards and adhere to HIPAA-approved guidelines while maintaining confidentiality and security at all times.
What does it mean to be HIPAA compliant?
HIPAA compliance involves implementing and maintaining adherence to ever-evolving HIPAA requirements, including physical, network and process security measures.
- Drafting and distributing policies, authorization forms and other HIPAA-required documents regarding how health information is used and protected
- Encrypting emails that contain sensitive data
- Avoiding faxing confidential information
- Using passwords to restrict access to electronic protected health information
- Turning monitors so they're not visible to others while working with electronic protected health information
- Logging off computer systems when leaving the work area
What are the consequences of violating HIPAA standards?
Breaching HIPAA compliance — defined as the acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted by HIPAA that poses significant risk of financial, reputational or other harm to the affected individual — is a serious matter.
The U.S. Department of Health and Human Services and Office for Civil Rights are responsible for investigating and enforcing HIPAA privacy standards, while the Centers for Medicare & Medicaid Services enforce the code set and security standards. The Office for Civil Rights determines the amount of each penalty, which depends on the nature and extent of harm that results from the breach.
- First-time infringement of an unknown HIPAA violation is $100 to $50,000
- The fine for willful neglect corrected within a specified period is $10,000 to $50,000 per violation
- If a willful neglect violation is not corrected, the minimum fine increases from $10,000 to $50,000
- A Privacy Rule infraction may be considered criminal and result in fines as high as $250,000 with imprisonment for up to 10 years
What happens if federal and state laws conflict?
Occasionally, federal HIPAA laws and state privacy laws conflict. When this happens, basic tenets apply. If the state law is contrary to the federal law, the federal law generally preempts the state law. If the state law is more stringent than the federal law, however, federal and state laws are considered complementary and both apply. If a conflict arises and you're unsure whether federal or state law takes precedence, seek counsel from a trusted legal resource.
What resources are available for help?
Navigating HIPAA is complex. Not only are the numerous rules and provisions nuanced and confusing, they continue to evolve. Every time that happens, chances are your organization needs to evolve, too. The good news is that help is readily available.
You might start with the U.S. Department of Health & Human Services website. Other resources include attorneys and other experts well versed in HIPAA guidelines and resources, as well as third-party vendors and technology providers that offer HIPAA compliance services and solutions.
Wherever you choose to start, being informed is critical. Seek expert HIPAA guidance as needed, and then act accordingly.
This article draws on the expertise of Grace Davies, a Minneapolis-based attorney with special interest in product liability, medical malpractice and employment discrimination.
U.S. Department of Health & Human Services: HIPAA for professionals
Venable: What your nonprofit needs to do about HIPAA — now (2013)
OnRamp: Compliant hosting