Business email compromise (BEC) is a category of cybercrime where malicious actors try to manipulate or compromise email accounts within an organization usually trying to gain access to sensitive information or social engineer someone to transfer money. Common examples: One example is Spear Phishing, this is where the malicious actor [...]
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Act consists of three rules.
The Privacy Rule – The Privacy rule governs: who is covered, what information is protected, and how protected health information can be used and disclosed.
The Security Rule – The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Data Breach notification Rule – The Data Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
There are four tiered ranges of penalties for violating HIPAA. There are maximum penalty caps of up to $1.5 million for all violations of an identical provision during a calendar year.
| Culpability | Minimum Penalty per Violation 1 | Maximum Penalty per Violation2 | Annual Cap |
| 1. No Knowledge3 | $100 | $50,000 | $25,000 |
| 2. Reasonable cause4 | $1,000 | $50,000 | $100,000 |
| 3. Willful neglect, timely corrected5 | $10,000 | $50,000 | $250,000 |
| 4. Willful neglect, not timely corrected6 | $50,000 | $50,000 | $1,500,000 |
The HIPAA Rules apply to covered entities and business associates.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
A Covered Entity is one of the Following:
| A Health Care Provider | A Health Plan | A Health Care Clearinghouse |
|---|---|---|
| This includes providers such as: Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies …but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. | This includes: Health insurance companies HMOs Company health plans Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs | This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. |
Business Associates
The Privacy Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Breach Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Properly protecting patients Health data is an extensive undertaking that requires the correct knowledge and resources.
An MSSP can give you the additional resources you need to come into compliance and maintain it. The fines for noncompliance of HIPAA are extensive, let alone the lost of patient trust do to a data breach. Get the assistance that you need, contact us today so we help you operate securely and within compliance.
The Gramm-Leach-Bliley Act of 1999, or the Gramm-Leach-Bliley Financial Services Modernization Act, modernized the regulations governing financial institutions. One part of this act concerns the way that these organizations communicate ...
