HIPAA Compliance for Voice Communications, Part 1: HIPAA Overview
Ever-evolving technology underscores the need to diligently maintain HIPAA compliance for voice communications. Compliance isn't just about avoiding fines and penalties; it's about trust, reputation, and ensuring your business is eligible for new, potentially lucrative opportunities. This four-part series offers an overview of HIPAA laws, how they apply to phone systems, often-overlooked violations and how to choose a provider to keep your voice communications HIPAA compliant.
HIPAA overview for voice communications
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to prevent the disclosure of protected health information (PHI) without patient consent. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened HIPAA laws with new provisions for electronic transmission of health information (ePHI).
Four HIPAA rules pertain to voice communications:
1. Privacy Rule
The Privacy Rule mandates that companies must protect medical records and sets conditions for the use and disclosure of protected health information. For voice communications, this means creating policies that prevent unlawful sharing of PHI.
2. Security Rule
The Security Rule is designed to maintain the confidentiality of electronically transmitted PHI. It requires administrative, physical and technical safeguards for sending, receiving and storing protected data.
3. Beach Notification Rule
The Breach Notification Rule requires companies to notify the U.S. Department of Health & Human Services if there is a breach of unsecured PHI.
4. Omnibus Rule
The Omnibus Rule extends HIPAA regulations to business associates and subcontractors that work with covered entities.
Who must have HIPAA-compliant voice communications?
Both covered entities and business associates need to ensure their voice communications comply with HIPAA guidelines.
Covered entities are healthcare providers, health plans and healthcare clearinghouses that electronically transmit protected health information. Examples include:
Clinics
Doctors
Health insurance companies
Business associates are companies that perform services on behalf of a covered entity and therefore have access to protected health information. Examples include:
Billing and coding companies
Attorneys
Accountants
Consultants
Benefit management companies
IT service providers, including Internet and phone system providers
Medical transcription services
What qualifies as PHI?
Protected health information identifies an individual with their medical records, including lab results, medical histories and medical bills. There are 18 HIPAA identifiers:
Names
Geographic information
Dates
Phone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate or license numbers
License plate numbers and other vehicle identifiers
Device serial numbers and other identifiers
IP addresses
Web URLs
Biometric data such as fingerprints
Full face photos
Any other unique identifying number, characteristic or code
Penalties for HIPAA violations
The HHS Office for Civil Rights investigates HIPAA violations and has a tiered penalty system based on an organization's knowledge of each offense:
Tier 1: No knowledge of the violation. Penalties range from $120 to $60,226 per violation, with a maximum penalty of $1,806,757 per year
Tier 2: Reasonable cause. The company should have foreseen the violation. Penalties range from $1,205 to $60,225 per violation, with a maximum penalty of $1,806,757 per year
Tier 3: Willful neglect, corrected. The company was negligent but corrected the issue within 30 days. Penalties range from $12,045 to $60,225 per violation, with a maximum penalty of $1,806,757 per year
Tier 4: Willful neglect, not corrected. The company was negligent and did not correct the issue within 30 days. Penalties range from $60,226 to $1,806,757 per violation and a maximum penalty of $1,806,757 per year
Depending on the nature of the violation, the Department of Justice could pursue criminal charges. Criminal penalties for HIPAA violations include:
Up to $50,000 in fines and one year in prison for knowingly obtaining or disclosing PHI
Up to $100,000 in fines and five years in prison for offenses committed under false pretenses
Up to $250,000 in fines and ten years in prison for offenses committed with commercial or malicious intent
Offenders are also subject to civil lawsuits from patients and others affected by HIPAA violations. Of course, avoiding monetary fines and potential imprisonment isn't the only reason to comply with HIPAA laws. Covered entities and business associates need to uphold their reputations, maintain trust and prevent opportunity costs associated with HIPAA violations.
Next steps
Learn more about what HIPAA means for your phone system in Part 2 of this guide.