Understanding HIPAA Compliance: Key Rules, Applicability, and Penalties Explained (Full Transcript)

Speaker 1: Hi, welcome to our short videos on Ask the Expert where we take up questions asked by our viewers, clients and colleagues pertaining to the cybersecurity industry. The questions are posted on our YouTube channel that you can see on the screen. Do subscribe to our channel where we post a lot of content and share information about the industry. You can see the link on the screen and read the description below to learn more about it. Do subscribe and click on the bell icon so you get notified about our latest video updates. Our topic for today is HIPAA compliance. HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a regulatory standard which was passed by the US Congress in the year 1996. It is a federal law and a standard concerning the privacy and security of PHI data. PHI, which stands for Protected Health Information, is a data that refers to the individually identifiable health information. Essentially, all health information is considered as PHI when it includes individual identifiers. To give you more clarity on this, here is a list of 18 identifiers that makes the health information a PHI data. This would include name, date, telephone number, geographic data, fax number, social security number, email addresses, medical record numbers, account numbers, health plan beneficiary numbers, certificates or license numbers, vehicle identifiers, web URLs, device identifiers, internet protocol addresses, full face photo, biometric identifiers, or any unique identifying number or codes to name a few. The PHI data under HIPAA compliance could be any information in the form of physical record, electronic records, or even spoken information. Now that we have learnt about the PHI data that HIPAA compliance protects, let us now understand the applicability of HIPAA compliance. Well, HIPAA is applicable to healthcare providers, health plans, health clearing house, and business associates. So when it comes to healthcare providers, it may include nursing homes, clinics, pharmacies, or even hospitals to name a few. When it comes to health plans, this could include health insurance companies, company health plans, and government programs like Medicare or military and veteran programs that pay for healthcare. Again healthcare clearing houses include public and private entities that process health information. This would typically include billing services, accounting companies, or community health management service providers. Business associates include third party administrators, billing companies, transcriptionists, cloud service providers, data storage firm, EHR providers, data disposal or shredding companies, consultants, attorneys, CPA firms, claim processors, or collection agencies to name a few. HIPAA compliance in general is governed by three main rules. One, the privacy rule that details how PHI can be used or disclosed. Second one is the security rule that includes necessary standards and safeguards to be implemented for protecting electronic PHI at rest or in transit. The third one is the breach notification rule that requires organizations to notify patients and authorities in case of a PHI data breach. All the covered entities under the HIPAA compliance are expected to comply with these rules in order to ensure compliance. The Department of Health and Human Services Office for Civil Rights are the ones responsible for the enforcement of HIPAA compliance. Noncompliance to HIPAA can result in financial penalties of $50,000 per incident or even up to $1.5 million per violation category per year. If HIPAA violation persists for several years or if multiple violations of HIPAA rules are discovered, you can even expect multi-million dollar fines or even criminal penalties against you. To learn more about HIPAA violation, you can always refer to our blogs, webinars, and YouTube videos. With this, we end our informative session here on HIPAA compliance. Hope this video turns out to be useful to you and clears all your doubts. If you still have any queries, do drop us a mail on askusatvistainfosec.com and we'd be more than happy to help you. If you have any other questions that you would like us to take up, then do drop us a mail and we will take it up in our next upcoming videos. You can even share your valuable feedback with us and help us make videos more useful to you. Until next time, take care.