Small Companies Need to Act on HIPAA Rules

On April 14, many small businesses covered under the Health Insurance Portability and Accountability Act (HIPAA) will be required to comply with new privacy rules regarding privacy protections for their employees. The Information Technology Solution Providers Alliance (ITSPA) advises small- to medium-sized businesses that are “covered entities” to take HIPAA requirements very seriously.

HIPAA, signed into law in 1996, primarily addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning how private data can be used and disclosed. Additionally, HIPAA is designed to provide health insurance benefits such as making coverage available to SMBs, allowing employees to enroll for coverage when they lose other health insurance, prohibiting discrimination in enrollment and premiums charged to employees based on various health-status factors, and limiting exclusions for preexisting medical conditions.

The goal of the federal legislation is to attain increased efficiency in claims processing by rigidly enforcing new standards of reporting, as well as protect patient health information. Darren Spohn, president and CEO of Austin, Texas-based Spohn & Associates and ITSPA advisor, said the April 14 deadline is just one of many HIPAA requirements that must be met.

“The privacy rule requires covered businesses to implement mandated policies and procedures to maintain the confidentiality of patient health information, ” Spohn said. “The challenge for SMBs is to determine whether they have to comply with HIPAA rules.”

The Department of Health and Human Services (DHHS) describes the types of businesses that are covered under the new rules. For example, if a small business provides health care, health care claims processing, or is a health plan provider, it is defined as being a covered entity.

Spohn added that the DHHS also indicates that companies providing health care services or supplies related to the health of an employee during the normal course of business may be considered a covered entity.

“This could include SMBs that provide home health, rehabilitation, health consulting and psychiatric services, and the sale or dispensing of a drug, device or equipment in accordance with a prescription,” Spohn said.

ITSPA Chairman Andrew Levi said small businesses that are “covered entities” should take HIPAA requirements very seriously.

“Enforcement of the privacy rule includes civil penalties ranging from $100 to $25,000 per person per violation,” Levi said. “And criminal penalties, especially for using health information for commercial gain, are even more severe with fines ranging from $50,000 and/or one year in prison up to $250,000 and/or ten years in prison.”

With this in mind, members of ITSPA’s Technology Committee, made up of IT directors from the nation’s top solution providers, offer the following tips to SMBs on how to comply with HIPAA regulations.

  • Provide employee reviews: Give all employees the opportunity to review and change, if required, their protected health information.
  • Distribute a privacy notice: Prepare, post and distribute a privacy notice for all employees to see that spells out HIPAA requirements.
  • Update healthcare documents: Revise company healthcare documents to reflect current HIPAA regulations regarding permissible uses and disclosures of protected health information.
  • Put safeguards in place: Implement safeguards, such as assigning someone the responsibility of handling privacy issues and establishing methods for handling complaints.
  • Work with service providers: Establish agreements with outside companies that help administer your health plan to ensure compliance with privacy requirements.
  • Train employees in HIPAA privacy rules.
  • Lock up records and files: Keep cabinets and file cabinets locked that contain employee healthcare information, and use computer passwords and firewalls to protect online information.
  • Beef up your computer hardware security features: PCs and other access devices that haven’t been secured make it easy for records privacy to be violated.
  • Ask an IT solution provider for help: SMB’s who need more information about HIPAA can turn to their local IT solution providers for assistance or visit the DHHS Web site prior to the April deadline to determine whether new privacy rules apply to their businesses.

The ITSPA is a national, non-profit group established to help the nation’s eight million SMBs understand how local technology providers can help them grow.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.