Although HIPAA has been in place since the 1990s, many businesses are still having difficulty complying with parts of its laws. The main area where companies struggle is protection of personally identifiable information. This is information such as a last name, birth date or other piece of data that could reveal a person's identity to the public.
Companies that fail to protect personally identifying information face harsh penalties. For individuals, the consequences can be devastating after being convicted of a HIPAA violation. Any party revealing personally identifying information to another person or business could face a fine as high as $50,000 and spend up to one year in a penitentiary. Individuals who knowingly commit such a crime under false pretenses face a fine that is double that amount and may spend as many as five years in prison. For those who intend to sell, use or transfer such information, the prison sentence may be as high as 10 years. In addition to this, a $250,000 fine is assessed.
This is why it is important for those employees in leadership roles to enforce HIPAA compliance. Plans should be developed at every leadership level to ensure workers and leaders alike do not leak sensitive information. Some of the most important issues to remember when developing a plan include the following:
- Document employee training. Every now and then, employees will make a mistake. While crooked employees are likely to be rare, they may still come along once in a while. However, if HIPAA training is documented properly and procedures are distributed, this can lessen the negative impact if an employee breaches the law.
- Procedures should affect every department. HIPAA is something that every worker on every level should understand. Everyone from human resources to janitorial staff should understand the procedures for protecting information and the penalties for breaching the law. Make sure computers and electronic files with sensitive information are properly protected. Employee e-mail accounts should also be customized with Outlook to avoid the possibility of sensitive information being sent.
- Audit all subcontractors. Employers are responsible for vendors' and subcontractors' actions. Businesses that regularly handle private information should protect it from any subcontractors or vendors. If it is not entirely possible to keep all private information from a vendor or subcontractor because of relevant duties, make sure they learn about HIPAA and how to comply.
- Make areas with private information secure. Separate common areas and places where sensitive information is kept. Access to private data should be restricted, so only employees who need to use the information to do their jobs may be allowed to access it. Keep all private data in locked storage devices. Implement an accountability system that monitors who accesses information at various times.
- Use shredders. Since identity thieves thrive on what they find in the garbage outside of businesses, use high-quality shredders to discard any papers with sensitive information. Documents should be shredded immediately and not piled up for mass shredding sessions.
- Make privacy a workplace culture. All managers and supervisors should strictly enforce privacy rules. Good examples should be set at every level of leadership to establish a workplace privacy culture.
- Shut off the auto-complete option. For electronic correspondence programs, turn off auto-complete features to avoid accidentally leaking personal information. With some auto-complete features, a name or word is automatically entered after it has been typed a few times. This practice helps workers ensure they use the correct names and e-mail addresses.
- Protect employee files. HIPAA laws do not only apply to clients or customers. They also apply to the information of employees. Managers and human resource workers should clean up employee files by blotting out personally identifiable information that is not necessary for certain records.
- Ask for outside help. Since penalties for noncompliance are so harsh, it is beneficial for employers to seek outside help and training. Specialized training can be made available to human resource managers and IT staff. Every company should ensure that workers assigned with the task of HIPAA compliance assurance should receive all of the support they need. It is important to routinely meet with such individuals to gather updates and ask about any needs or suggested changes.
