HIPAA Certification: Non-Compliance Repercussions are Costly
Have you ever called a healthcare facility trying to get information on a patient and got stonewalled? Most Covered Entities (CEs) and Business Associates (BAs) have to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and get HIPAA Certification. For that reason, they will not openly disclose information on patients without express permission.
HIPAA certification works to protect patient information and privacy by limiting access to individually identifiable health information. This means the CE requires the patient’s written authorization to provide information to relatives, insurance agencies, attorneys, financial services providers, marketers, or researchers. Healthcare providers, insurers, and health-related financial services need to adhere to HIPAA and obtain HIPAA Certification. A reputable recycling company will go to great lengths to protect the privacy of past owners of electronic devices. This includes any individually identifiable information that can be swiped off discarded computers, phones, hard disk drives, or other kinds of electronic storage devices.
Repercussions for Flouting HIPAA Certification
The wireless cardiac monitoring service, CardioNet Inc. learnt the hard way what it means to disregard HIPAA compliance. The Department of Health and Human Services Office for Civil Rights (OCR) announced a HIPAA settlement amounting to $25 million and an agreement for CardioNet to implement a corrective action plan.
The 24 April, 2017 settlement announcement came as a result of a CardioNet workforce member lost a laptop containing unsecured electronic protected health information (ePHI) of over 1,390 individuals. The incident happened in 2012 where the laptop was reportedly stolen from a parked vehicle outside the workforce member’s home.
After the settlement announcement, Roger Severino, OCR Director, was quoted as saying, “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
In February 2017, the nonprofit Memorial Healthcare System (MHS) based in South Florida had to pay the US Department of Health and Human Services a $5.5 million settlement for potential violations of HIPAA. It is important that all companies understand what exactly is required by HIPAA Certification and how to ensure adequate data security, including those on old electronics marked for disposal.