The Health Insurance and Portability Act (HIPAA) was enacted in 1996 to address health insurance portability, Medicaid integrity, and to protect sensitive patient health data.
Many of those outside the health care field aren’t as up to date on HIPAA requirements or penalties for non-compliance because they see it as a rule that’s mainly pertinent to health-related businesses only.
But if you’re in the financial services industry you could also be subject to HIPAA regulations depending upon the type of work you do.
Technical Evolutions helps accounting and financial firms in the Chicagoland area with data privacy compliance and IT security needs. The fine print of how regulations are interpreted can mean all the difference in your liabilities as they relate to HIPAA and other data privacy regulations.
We help financial firms and other types of businesses understand exactly what needs to be done with their technology infrastructure and workflows to ensure necessary compliance with data privacy and we help them every step of the way with ongoing support.
How are Financial Firms Subject to HIPAA?
If your financial firm provides services for any healthcare entities – doctor’s offices, hospitals, nursing care facilities, etc… – then your business could also fall under the HIPAA regulation, depending upon the types of services you provide.
The HIPAA regulationuses two definitions that could be pertinent to the work of a financial firm:
- “Covered entity”
- “Business associate”
A covered entity includes: (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards.
A business associate includes: “A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA”
But What About the Financial Entity Exception?
One reason why some financial firms may feel they’re not subject to HIPAA, other than for health insurance plans they administer to their employees, is a defined financial institution exception in the rule.
This states that a financial institution is exempt from HIPAA compliance requirements if they’re only engaged in payment processing for a healthcare-related firm. This would include functions such as authorizing, processing, clearing, settling, billing, transferring or collecting payments.
However, anything beyond payment processing can mean a financial firm is no longer covered by that exemption and falls under the requirement for HIPAA compliance.
For example, a bank that provides clearinghouse services for a healthcare client could be considered a “covered entity.” An accounting firm that uses or needs to disclose protected health information (PHI) to perform services on behalf of a client could be considered a “business associate” and fall under the umbrella of requirements for HIPAA.
A Financial Firm Might Be a Business Associate If…
Whether or not your financial firm is considered a business associate is a determination that typically is made individually by each firm, however data privacy experts, like Technical Evolutions, can help you understand whether or not you’re subject to HIPAA.
Here are some examples of financial firms that would be considered a business associate and thus required to comply with HIPAA regulations:
- A CPA firm that needs access to protected health information in the course of providing accounting services to a health care provider
- Consulting firms that provide utilization reviews for hospitals
- A financial services firm that assists a health plan with claims processing
What are Business Associate Requirements Under HIPAA?
If your financial firm provides services beyond simple payment processing and falls under the HIPAA regulatory requirements as a business associate, you are obligated to comply with certain HIPAA provisions, including:
- Conducting a security rule risk assessment
- Developing your own internal HIPAA policies and procedures relating to the use and disclosure of PHI
- Establishing cybersecurity practices including administrative, physical and technical safeguards to prevent, detect and correct security breaches
- Putting into place and adhering to the terms of their business associate agreements with covered entities
The penalties for being out of compliance with the HIPAA regulation can be steep, which is a catalyst for financial firms taking a look at their business with any health care entities to understand their liabilities.
It’s also important to know that just one incident of a lost laptop that contains 200 files containing protected health information, can result in not one, but 200 separate violations.
HIPAA violation penalties for business entities include:
- $100 to $50,000 per violation up to $1,500,000 per identical violation per year: If the business associate did not know of the violation
- $1,000 to $50,000 per violation up to $1,500,000 per identical violation per year: Due to reasonable cause, if there was no willful neglect
- Mandatory fine of $10,000 to $50,000 per violation up to $1,500,000 per identical violation per year: If there was willful neglect but the violation is corrected within 30 days of being known
- Mandatory fine of not less than $50,000 per violation up to $1,500,000 per identical violation per year: If there was willful neglect and the violation was not corrected within 30 days of being known
Need Help Navigating HIPAA Regulations?
If you have an accounting and financial firm and need help understanding your liabilities under HIPAA, Technical Evolutions can help! Our IT security experts can assist you with identifying whether you’re subject to this rule and help with any and all compliance and IT security needs.
Contact us today to schedule a free consultation at 708-540-6201 or reach out online.