In 1996, the United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), which includes provisions on health care and insurance. Part 1 of HIPAA addresses health insurance coverage, while Part 2 regulates patient privacy. Part 2 of the HIPAA Act brought about major changes in health care administration in the US, and changed the way patient health records are managed. Health care workers or other individuals who fail to follow any of these laws are guilty of a HIPAA violation, which comes with both criminal and civil penalties.
Part 2 of the HIPAA Act covers three basic tenants of patient rights, broken down into administrative, physical, and technical categories. The section on administrative rights requires all health care organizations to designate a single individual to take charge to patient privacy, and to ensure that HIPAA regulations are followed. This category also covers employee training, interactions with third-parties who may view patient records, and policies for handling a security breach. Companies who fail to designate an individual to manage HIPAA requirements may be guilty of a HIPAA violation, and could be subject to penalties. Any failure to implement the required administrative policies could represent an additional HIPAA violation.
In terms of physical requirements, health care organizations must provide secure locks for all patient files in order to avoid a potential HIPAA violation. The organizations must keep these files away from the public, and should ensure that access is only granted on a need-to-know basis. For example, an employee who snoops into files that he does not need to see to perform his job could be guilty of a HIPAA violation. This category also requires organizations to safely and securely dispose of files when they are no longer needed.
To avoid a technical HIPAA violation, organizations must encrypt all computer files related to patient health records. Each must require a password for access, and only those employees who need access should be informed of the password. In some instances, each employee must be given a unique password so regulating officials can determine who accessed specific files.
Penalties for a HIPAA violation cover both intentional and unintentional violations, including those caused by simple neglect. Civil penalties can be as high as $1.5 million US Dollars (USD) in a single year. Each basic violation could bring criminal fines of as much as $25,000 USD, and intentional misuse of records carries a prison term of up to 10 years. Penalties may be even higher for multiple violations within a specified period.