How Does HIPAA Effect Hospitals, Clinics and Practices?

All health care entities that process health-related data are required to comply with the U.S. Department of Health and Human Services' (HHS) Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA is designed to standardize the way all health care organizations electronically exchange sensitive patient data and to protect patients from unauthorized disclosure of their medical records (whether paper or electronic).

HIPAA is a federal law that has been amended to the Internal Revenue Code of 1986 which intends to:

  • Improve portability and continuity of health insurance.
  • Combat waste, fraud and abuse in health insurance and health care delivery.
  • Promote the use of medical savings accounts.
  • Improve access to long-term health care services and coverage.
  • Simplify the administration of health insurance.
HIPAA Compliance for Covered Entities

HIPAA Goals and Guidelines

The ultimate goal of HIPAA is to increase the efficiency and effectiveness of health information systems through improvements in electronic health care transactions. It also aims to maintain the security and privacy of individually identifiable health information.

These goals help promote the modernization of health information systems. Industry analysts estimate the process of updating health information systems to be about three to four times more difficult than Y2K. Becoming HIPAA compliant is more challenging because of extensive cross-departmental compliance and training requirements. Where Y2K centered on IT procedures and systems, HIPAA affects the entire organization. With Y2K, there was a stop date when IT professionals and organizations could determine if their compliance efforts were successful. HIPAA is an ongoing administration, privacy and security challenge that must be constantly addressed.

HIPAA Compliance Guidelines

What Does HIPAA Compliance Mean?

Under HIPAA, there are specific standards that all health care organizations are required to adhere to. These standards include an Administrative Simplification Title that is aimed at preventing health care fraud and abuse. Within this title, there are several laws and proposed standards including:

  • Electronic Health Transactions Standards (45 CFR Parts 160 and 162; Final Rule; Compliance date was October 2002).
  • Privacy and Confidentiality Standards (45 CFR Parts 160 and 164; Final Rule; Compliance date was April 2003, 2004 for small health plans).
  • Unique Health Identifiers (45 CFR Parts 160 and 164; Proposed Rule; Expected Compliance date was 2004).
  • Security and Electronic Signature Standards (45 CFR Part 142; Proposed Rule; Expected Compliance date was 2004).

Who is Impacted by HIPAA?

HIPAA's standards directly apply to the following groups of health care entities:

  • Health plans.
  • Public and private payers.
  • Health care insurers.
  • HMOs.
  • Medicare and Medicaid.
  • Group health plans.
  • Health care clearinghouses.
  • Any entity that facilitates the processing of non-standard formatted health information and must convert the non-standard data into standard transactions, or vice versa.
  • Health care providers.
  • Providers who transmit health information electronically.
  • Providers who receive individual health information.
  • Providers who electronically maintain health information used in electronic transmissions between entities.

Business Impact of HIPAA Compliance

HIPAA's reach is quite broad. It impacts all health plans, clearinghouses and providers who electronically store and transmit health information. It covers all individually identifiable health information that is transmitted electronically or on paper. Current administrative processes are complex, inefficient and costly. There is a great opportunity for HIPAA to help a covered entity drive down high administrative costs and realize efficiencies, while not adversely affecting the quality of patient care.

Conversely, non-compliance with HIPAA regulations may cause disruptions in an organization's day-to-day business processes, resulting in both tangible and intangible costs. The most serious implications of HIPAA non-compliance for health care organizations include the inability to effectively conduct electronic business and the potential of losing significant segments of business.

  • Measuring the quality, safety, and efficacy of care.
  • Designing payment systems and processing claims for reimbursement.
  • Conducting research, epidemiological studies, and clinical trials.
  • Improving clinical, financial, and administrative performance.
  • Preventing and detecting healthcare fraud and abuse.
HIPAA Compliance Business Impact

Non-Compliance Penalties and Risks

Penalty for failure to comply with regulations up to $100 per violation per person up to a maximum of $25,000 per year. Penalty for knowingly and wrongfully disclosing individually identifiable health information:

  • Up to $50,000 per violation or one year imprisonment or both for simple offense.
  • Up to $100,000 per violation or five years imprisonment or both if the offense is "under false pretenses."
  • Up to $250,000 or ten years imprisonment or both if committed with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.

Litmos Healthcare's HIPAA compliance online education program is the perfect fit for all healthcare organizations. To learn more, contact us at or call 1.866.447.2211.

Risk of Non-Compliance & Government Sanctions