Do you need to be HIPAA compliant?
Does your carrier require secure email?
To help your business comply, BrightFire has a compliant and secure solution that is HIPAA compliant and PCI DSS compliant with a SAS 70 certified datacenter to comply with federal HIPAA laws and individual state regulations like Massachusetts 201 CMR 17.
The Health Insurance Portability and Accountability Act (HIPAA) sets specific guidelines for any website that stores or transmits Personal Health Information (PHI) from one location to another. It establishes a Security Rule and a Privacy Rule, essentially requiring there to be technical and physical safeguards to the integrity and privacy of PHI, as well as restrictions to the access of PHI to the minimally necessary number of people.
Therefore, if you receive or transmit Personal Health Information from your website or through email, it must be protected.
Are insurance agents and brokers impacted?
Insurance agents and brokers that receive Personal Health Information via email or website quote forms, will need to comply with HIPAA guidelines for transmitting the information securely.
BrightFire can provide a HIPAA compliant insurance website, encrypted quote forms, and secure email service. You can contact us for more information on our HIPAA compliant insurance website and secure email service.
What are the requirements of HIPAA?
First of all, The HIPAA Security Rule requires that all internal email communications within your organization must be secured. That means staff members cannot send and receive e-PHI amongst each other using personal email addresses. Your organization must use a HIPAA Compliant Email Service, have its own domain name, and force all staff members to use that system to send and receive e-PHI.
- Mandates the security of electronic medical records pertaining to an individual, requiring that covered entities ensure the confidentiality, integrity, and availability of all electronic protected health information that the entity creates, receives, maintains, or transmits.
- Requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of all electronic protected health information, protect against reasonably anticipated uses or disclosures of such information, and ensure compliance by their workforce.
- Specifically, these standards concentrate on three aspects of security:
- Physical Security – requires protection of electronic systems, equipment and data
- Technical Security – authentication and encryption to be used to control access to data
- Administrative Security – security responsibility is to be assigned to an individual
What are the penalties for non-compliance with HIPAA?
HIPAA includes severe penalties, both civil and criminal, for non-compliance. These include: Civil fines of $100 per violation, up to $25,000 for multiple violations of the same standard in a calendar year. Criminal fines up to $250,000 and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.
Individuals also have the right to file a formal complaint with the U.S. Dept. of Health and Human Services (HHS) for violations of HIPAA regulations. HHS may investigate and penalize organizations.