That’s the number of healthcare records that were exposed, stolen, or impermissibly disclosed in 2019.
It was the second worst year ever for healthcare data breaches, with more records impacted than in the previous three years combined.
Here’s the most surprising part: It’s not just healthcare organizations that are to blame.
Across several key industries, countless companies face the very real possibility that they could soon be facing hefty fines, fees, and penalties—whether they are aware of it, or not.
Why? Because of HIPAA compliance. More specifically, a lack of awareness around HIPAA compliance for business associates.
While mention of the Health Insurance Portability and Accountability Act (HIPAA) usually leads to visions of doctors’ offices and hospital waiting rooms, the set of regulations in fact extends to many other non-medical companies.
How can you know if your business needs to keep HIPAA in mind? Let’s take a look at three important facts that all companies should consider when it comes to these critical compliance measures.
1. HIPAA impacts more than just hospitals and healthcare facilities.
Contrary to commonly held assumptions, HIPAA doesn’t strictly apply to hospitals and physicians. While the requirements are intended primarily for health plans and providers, they also extend to business associates such as law firms, attorneys, accountants, insurance agents, consultants, and advisors.
The reason? These companies often perform tasks that involve access to patient data, which makes them equally responsible for meeting the rules and regulations outlined in HIPAA.
However, while health organizations are well aware of the need to abide by HIPAA, determining when a non-medical company needs to maintain compliance can be trickier. Put simply: If you have access to sensitive data that’s subject to HIPAA, regardless of how you acquired that access, you need to be HIPAA compliant.
Any business that collects, shares, or receives electronic protected health information (ePHI) should be on high alert. If your company hasn’t already started the process of ensuring HIPAA compliance, the time to act is now.
2. A surprising number of business associates remain in the dark.
Business associates have been separately liable for HIPAA compliance for more than a decade. These companies can be investigated, audited, and fined just like healthcare entities.
Yet a surprising number of businesses remain unaware that they need to be abiding by HIPAA regulations—or that they could face some serious consequences if and when they’re caught for noncompliance.
A survey conducted by Legal Workspace, for example, suggested that a large number of law firms are not complying with the rules of HIPAA, even though they deal with patient data. And some of the worst HIPAA news last year involved the breach of 20 million patients’ information that was caused not by a healthcare facility, but rather a business associate.
The primary problem is that many covered entities simply don’t understand what qualifies as a business associate. If this area is a new one to you, take some time today to become familiar with how the department of Health and Human Services defines business associates.
Did you know? Data breaches are one of the leading HIPAA compliance violations. 2019 was one of the worst years for healthcare cybersecurity, with the largest attack compromising more than 25 million patient records from a single healthcare provider.
3. Avoiding dangerously high penalties requires several key steps.
Failing to comply with HIPAA is no small matter. HHS has been cracking down on HIPAA violations in recent years, going so far as to increase fines. That means a single infraction, whether intentional or not, could end up costing you millions of dollars.
To help ensure your company will avoid this frightful fate, we recommend assessing any software and tools you use to manage patient health data, such as a data collection tool or contract management software. Make sure there are security measures in place to encrypt your data, both when it’s in transit and at rest. And if the nature of your work requires you to collect patient data, don’t use an online form builder unless it’s HIPAA compliant.