Memoranda Title: Healthcare industry: Data privacy requirements per the Health Insurance Portability Accountability Act (HIPAA)
Date: March 1, 2017
Introduction and Problem Definition
Health care data can be used for providing preventative and emergent health care to health care consumers. The use of this data in aggregate can provide huge datasets, which will allow big data analytics find hidden patterns that could be used to improve healthcare. However, the Health Insurance Portability Accountability Act (HIPAA) is a health care consumer data protection act, which must be followed. This Act protects health care consumers’ data from being improperly disclosed or used; and any data exchanged between health care providers, health plans, and healthcare clearinghouse should be necessarily minimized for both parties to accomplish their tasks (Health and Human Services [HHS], n.d.a.; HHS, n.d.b.). Though the use of big health care data is promising, we must follow our Hippocratic Oath, and HIPAA is the way of keeping our oath while providing new services to our consumers.
All health care data either physical or mental from a person’s past, present and future is protected under HIPAA (HHS, n.d.a). According to the HHS (n.d.b.), groups with health care consumers’ data should always place limits on those who have read, write, and edit access to the data. Identifiable data can include name, address, birth date, social security number, other demographic data, mental and physical health data or condition, and health care payments (HHS, n.d.a). Any disclosure of health data must be obtained from the individual is via a consent form that states specifically who will get what data and for what purposes (HHS, n.d.a; HHS, n.d.b.).
Consequences of data breaches
A violation is obtaining or disclosing individually identifiable health information (Indest, 2014). Those that are subject to follow the HIPAA regulations are health plans, healthcare providers, and health care clearinghouses (HHS, n.d.a.; HHS, n.d.b.). Any violations by any of the abovementioned parties that have been detected must be corrected within 30 days of discovery to avoid any of the civil or criminal penalties (up to one year of imprisonment) from an HIPAA Violations (Indest, 2014).
Table 1: List of tiered civil penalties for HIPAA Violations (HHS, n.d.a.; Indest, 2014).
|HIPAA Violation||Minimum Penalty||Maximum Penalty|
|Unknowingly causing a violation||$100 per violation until $25K is reached per year||$50K per violation until $1.5M is reached per year|
|Reasonable violation not done by willful neglect||$1K per violation until $100K is reached per year||$50K per violation until $1.5M is reached per year|
|Willful neglect with a corrective action plan but requiring time to enact||$10K per violation until $250K is reached per year||$50K per violation until $1.5M is reached per year|
|Willful neglect with no corrective action plan||$50K per violation until $1.5M is reached per year||$50K per violation until $1.5M is reached per year|
- Indest, G. F. (2014). Failure to comply with HIPAA can result in both civil and criminal penalties. Retrieved from http://www.thehealthlawfirm.com/blog/posts/failure-to-comply-with-hipaa-can-result-in-both-civil-and-criminal-penalties.html
- Health & Human Services. (n.d.a.). Summary of HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?language=es
- Health & Human Services. (n.d.b.). Your rights under HIPAA. Retrieved from https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/