Slide

NEWS & INFORMATION

HIPAA & Nonprofits

Start Reading

Slide

By Dan Hubbard, with 4Amanda.org.

In the next few days, we will be writing a compressive article on a discussion draft of the American Privacy Rights Act (APRA) that would provide new and tougher privacy rights governing the collection and use of consumer data. APRA will apply to nonprofits, but before we cover that, we wanted to cover HIPAA’s applicability to nonprofits.

HIPAA, the Health Insurance Portability and Accountability Act, establishes data protection standards for sensitive patient information. Entities handling Protected Health Information (PHI) must implement physical, network, and procedural security measures to ensure compliance. Covered Entities (those providing healthcare services) and Business Associates (those with access to patient information) must adhere to HIPAA regulations. Other entities, including subcontractors and related business associates, must also comply.

HIPAA primarily concerns electronic data records, crucial for non-profits in the health sector. The shift to electronic health records eased patient transitions but introduced new security risks, emphasizing the need for protecting Electronic Protected Health Information (EPHI). Non-compliant non-profits face substantial fines, necessitating awareness of HIPAA and EPHI data.

To comply with HIPAA, organizations must possess specific information about clients, members, or beneficiaries, including health conditions, medical treatment history, and payment details. Additionally, HIPAA identifies 18 traits to uniquely identify individuals, requiring robust data protection measures. We use this checklist.

The Office of Civil Rights (OCR) governs HIPAA and categorizes organizations into three main groups: healthcare providers, health insurance companies, and healthcare clearinghouses. Both the primary organization and its business associates are accountable for HIPAA compliance.

HIPAA violations can result in significant penalties, depending on factors such as intent and corrective actions. Penalties range from $100 to $50,000 per violation, with an annual maximum fine of $1.5 million.

Non-profits must prioritize HIPAA compliance by engaging database and cloud storage providers versed in HIPAA requirements. Encryption of ePHI data, restricted access, record-keeping, and breach response planning are crucial steps to safeguard patient information and mitigate risks. Addressing security breaches promptly is essential to prevent recurring violations and uphold patient privacy.

Now that you understand the importance of safeguarding data, take the following steps to ensure comprehensive protection against potential breaches:

1. Consult with your database provider and cloud storage service regarding HIPAA compliance. Ensure they comprehend the necessary security measures to maintain protected platforms. Remember, handling medical information makes them your associates, and both parties are accountable if a breach occurs.

2. Implement encryption protocols for accessing ePHI data. This involves creating unique login credentials, restricting data access to authorized personnel within a secure network, and investing in advanced encryption technologies for added security.

3. Limit access to patient and beneficiary information to a select few employees. This entails granting digital access privileges exclusively to authorized individuals with login credentials, alongside controlling physical access to server rooms and printed files.

4. Maintain meticulous records of file access and activity tracking. Regularly audit these records to monitor who accessed patient information, identifying any unusual activity or potential security breaches promptly.

5. Develop a comprehensive plan for addressing security breaches. Every organization with access to ePHI data should have protocols in place for handling various failure scenarios and executing corrective measures. Implementing and adhering to these plans can significantly reduce the risk of HIPAA violations, potentially saving your non-profit from substantial financial penalties.

While HIPAA violations are often associated with large-scale data breaches, even minor infractions, such as inadvertently sending patient records to the wrong recipient or unauthorized file access by an intern, can have serious consequences. It is the responsibility of the non-profit to promptly address any security breaches and implement measures to prevent future incidents, ensuring the ongoing protection of sensitive patient information.