We’ll talk through your marketing goals, and determine if we’re a great fit.
Table of Contents
There are countless HIPAA Settlements each year. With well over half involving digital and network compliance.
At the end of this you will learn:
Covered Entities (CE) medical providers, mental health providers, medical insurance providers, and yes that includes medical insurance brokers/agents. Pretty much anyone who accepts insurance as a form of payment, companies who handle Protected Health Information (PHI), or electronic PHI (ePHI), or come in potential contact with it fall under some level of HIPAA. This includes third parties that have entered a Business Associate Agreement (BAA) (And only if they have signed a BAA.)
“A Covered Entity is any entity that receives federal financial assistance from the Department of Health and Human Services or is covered under Title II of the Americans with Disabilities Act as a program, service, or regulatory activity relating to the provision of health care or social services.” HHS
Any company that doesn’t handle or has the potential to see/ interact with PHI. That includes your contractor who is building your IT network or repairing your office if they don’t have a BAA. (See the problem if you don’t do an effective risk analysis for PHI)
It depends.
First, we recommend talking to a lawyer that specializes in HIPAA about your situation. Good rule of thumb: If you have ever fallen under the CE rule, accepted insurance in the past, currently, or will potentially in the future, you still have to protect all of that data. (Some lawyers have even mentioned if you included HIPAA releases on your intake forms you, fall under it.) HIPAA Is Past, Current, and Future client’s PHI.
HOWEVER, even if you are not under HIPAA, you are still open to the governing laws of your state and professional license. While HIPAA has a lot to do with how to best protect data, not protecting your data can open you up to the new consumer protection laws that states are adopting which can still hit you with big fines.
The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) publishes a list of the largest fines and breaches. The HHS lists all HIPAA breaches involving 500 individuals or more on the OCR Portal. There are over 500 large breaches as of 2019 over a 24 month period. The largest fines and select breaches are listed on HIPAA Resolution Agreements website.
Large beaches are only a small fraction of the fines assessed every year.
If you have a breach, you risk not only having a very public description of your incident, you also face a financial penalty based on the size and severity of the breach and practice’s culpability. Not to mention the loss of patient trust and news coverage.
In addition to fines, you may face criminal charges if the violation merits it.
Important to note: You do not need to have a breach to face HIPAA penalties.
There are five tiers based on the violations and what level of responsibility (and negligence) the entity acted in at the time of the violation.
Tier 1: Minimum fine of $100 per violation up to $50,000, with a per-year maximum of $25,000 that the issues persisted.
Tier 2: Minimum fine of $1,000 per violation up to $50,000, with a per-year maximum of $100,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000, with a per-year maximum of $250,000
Tier 4: Minimum fine of $50,000 per violation, with a per-year maximum of $1,500,000.
As of April 2019, fines were adjusted to reflect the maximum amount per tier violation. But the figures could change as they are still pending additional rule-making. Federalregister.gov
It is important to remember that each State Attorney General can also impose HIPAA fines which the State keeps a percentage. As you can see, a multi-state data breach can get quite costly quickly and the incentive for a state AG to push a case.
Each Tier has maximum criminal penalties as well.
Tier 1: Maximum Up to 1 year in jail
Tier 2: Maximum Up to 5 years in jail
Tier 3: Maximum Up to 10 years in jail
Plus up to 2 years for PHI theft and potential payment of restitution.
HIPAA protected health information (PHI) is any information about an individual created in the provision of medical care. This includes past, current, and future care.
ePHI is simply the electronic; storage, transmission, or creation of PHI information which can be on any device. For example: computer, thumb drive, internet, cellphone or any recording device.
HIPAA treats any company that stores or transmits PHI as a Business Associate (BA) with the Covered Entity (CE) and requires a Business Associate Agreement (BAA). If the CE does not get a signed BAA, the CE is the one that will incur the HIPAA violations even if the BA is at fault. Technically a BA does not even have to view the PHI data to fall under the BAA requirement. A BAA helps safeguard both the CE and BA with clear responsibilities in handling PHI and liability in the event of a breach. It also helps lower the risk of a breach since both parties understand and follow HIPAA best practices. Also having a good BAA and documented procedures can help lower the fines associated with a breach or violation.
That means if you create, transmit, pass through, store, potentially see, ePHI with them, they need a signed BAA. But more on that later.
Digital marketing and websites.
PHI pertains to past, current, and the most commonly overlooked future clients. Remember our list of PHI data? IP addresses, contact information, etc. Yes, you may have invested thousands on protecting at your physical location, staff training, and internal network but you may have left the backdoor wide open.
If your site is not hosted on a HIPAA compliant server or does not have end-to-end encryption, and has any of the following: contact form, chat, server hosted email, and a whole host of potential website security gaps, then you are potentially exposed. We have seen some big providers of “medical websites” who built non-compliant sites.
Your website is the portal of first contact so if it is susceptible to hackers or malware, then your patient data may be intercepted.
Your web designer may post testimonials on your website without a signed release.
This office was one the hook for $25,000 for posting testimonials and photos on their website.
While a non-compliant website can cause a huge issue when you start to market online, the company you hire can be an even bigger risk.
More often than not, you may hire a marketing company who does not handle the data (such as lead information) with HIPAA in mind and inadvertently cause a breach. If you don’t have a BAA with them, then you are fully on the hook for their mistakes (not to mention the violation from not having a BAA). And it could put you and your practice at risk.
But how could that happen?
Example: You hire an SEO consultant or company who is helping your site reach the top of the search results. If they know what they are doing, they will ask for FTP access to your site. As well as higher-level access than your average user.
You could be on the hook for $300,000 like this Tennessee medical imaging company who let a contractor have FTP access and did no due diligence.
Or they may install call tracking software to show you proof ot their results, logging all calls to your business, owner name, and traffic source.
Example: Posting a picture of a patient without a signed consent can get you in trouble (even if they are in the background inadvertently).
OR
Your lead generation company may be selling or buying your leads on the open market. Or using your patient list to create lookalike audiences on Facebook. We don’t need to get into the data breaches that Facebook has had…
Real posts from one large Facebook marketing group looking to buy or sell lead data.
Or your marketing company can leave their server open exposing your new clients.
But it doesn’t take much searching to find examples of potential HIPAA violations. There are literally thousands of examples of how your practice can be exposed by third-party vendors.
If you are still in doubt as to why HIPAA compliance or proper vendor due diligence is something to care about, then please re-read or look up fluffy cat videos on YouTube.
Take our HIPAA compliance quiz to see where you may be at risk and/or contact us to schedule a digital risk assessment.
$100,000 HIPAA Breach due to compromised Username and Password
Open Server Database in Search Engines.
Mental health non-profit pays $150,000 fine for un-patched and noncompliant software.
$500,000 for sharing HIPAA data with 3rd party vendor without BAA.
Allowing sales representatives access to phi to identify patients to market to. Jail time avoided in plea agreement and settlement.
Get started now by scheduling an intro call. We’ll talk through your marketing goals, and determine if we’re a great fit.