Understanding HIPAA: Part 1

The HIPAA in the Room

Mention HIPAA to any member of the healthcare industry and you may notice an involuntary shudder followed by a cool wave of ambivalence.  What is it about that assembly of letters that evokes such a reaction?  What is it about HIPAA …

Wait, what exactly is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act passed by Congress in 1996. It sets the standard for protecting sensitive patient data and any company dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This piece of legislation:

Mandates standards for healthcare information on electronic billing and other processes.Reduces healthcare fraud and abuse.

Requires the protection and confidential handling of protected health information.

Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs.

Now, about that involuntary shudder…

Nothing boosts the endocrine system in the battle of fight or flight like a good dose of compliance.  Compliance, in regard to any institution, carries a stigma of it’s own, and it is rarely the bright and cheerful stigma we prefer.

Any managed service provider (MSP) that aims to work with the healthcare industry must be well-acquainted with HIPAA, the ways it governs the collection, storage, and transmission of electronic protected health information (ePHI) and the ramifications if found in violation. In the blink of an eye, the healthcare industry will soon employ a staff that has never seen paper files or a record storage room.

Even though it is now considered an archaic practice in larger institutions, the smaller and midsize institutions – in an effort to achieve HIPAA compliance – need to make strategic choices when moving to electronic filing and ultimately securing that information.

Here is the Dichotomy.  

One side of the HIPAA sword portrays the distinct advantages of quickly sharing vital and sensitive private medical files.  The other side portrays the heavy risk of unwarranted or unlawful sharing (due to the lack of high levels of security) of that confidential information when in the wrong hands.  

Despite the manner in which technology has positively changed the landscape in the health care industry, especially in regard to patient record accessibility, we live in an age of security breaches that compromise the credibility and reputation of each and every business. It’s imperative to share the focus with not only being compliant, but secure in operations.

HIPAA compliance shouldn’t cause you to shudder.  The security breaches and the negative domino effect on your institution definitely should.


Can your institution justify avoiding HIPAA compliance?  Perhaps.  Just to scratch the surface, HIPAA violations may result in penalties of $100 to well over $50,000 per violation, depending on the situation.  If the violation results from “willful neglect,” the party is subject to mandatory fines beginning at  $10,000 and much higher per violation.

The real impact is when credibility is stripped due to a data breach that compromised confidential information. A single data breach may result in numerous violations.  For example, an employee loses their laptop and the records of 500 patients.  Now you are looking at 500 violations … for starters.

More severe penalties add up if the breach resulted from failure to implement required policies or practices. Just ask Target about impact.

At the Intersection of HIPAA Compliance and Data Security

Most people are aware of the Sony and Target data breach scandals that have recently dominated the headlines – you may have been affected by the latter. But did you know that 81% of breaches occur in small and medium businesses (SMBs)?

Many of these breaches are not at the hands of romanticized and villainous external hackers you envision in a Sony picture but instead come from internal sources like third-party contractors or current and especially former employees. This information is valuable, coveted just like vulnerable bank cash was to Bonnie & Clyde, and needs to be protected.

Misconceptions about HIPAA run the gamut from typical to the absurd, and we will continue to dive deeper into understanding HIPAA compliance and security in our upcoming article series.  This intersection will ultimately be the destination to more profit, more trusting clients, better references, and positive growth.