Serving Colorado's Counties

Technical Update vol. 26 no 37 - Understanding HIPAA

September 13, 2022

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 with the primary goals of ensuring continuous health insurance coverage for people who have lost or changed jobs and lowering costs by standardizing rules for storing and transmitting protected health information (PHI). Part of the act deals with the safety and security of PHI. The Office for Civil Rights (OCR), part of the U.S. Department of Health & Human Services (HHS), offers training for health care organizations on the civil rights, health information privacy, and patient confidentiality laws that they are subject to under HIPAA. The OCR also audits organizations for compliance with HIPAA laws and investigates complaints concerning possible violations.

HIPAA Fines

HIPPA fines use a tiered system. A first-tier fine, which they define as a violation where “the covered entity did not know and could not reasonably have known of the breach,” can range from $100 to $50,000 per violation or per record with a maximum fine of $1.5 million per year for each violation. A fourth tier fine, in which “the covered entity ‘acted with willful neglect’ and failed to make a timely correction,” ranges from $50,000 to $1.5 million per incident. The OCR may also levy criminal charges in certain instances, adding additional litigation costs to the fines. Penalties like these can be ruinous to small and mid-size organizations, so you must verify that you and any business with whom you might share PHI comply with HIPAA guidelines.

HIPAA Guidance

The HHS provides numerous publications that offer guidance and training on HIPPA regulations at www.hhs.gov/hipaa/index.html. If your organization deals with PHI, take the time to review and assess the security measures used to protect that information. PHI includes 18 unique, personally identifiable information elements, including names, phone numbers, vehicle identifiers, email addresses, and medical records. Educate your employees on what information is and is not protected under HIPAA to limit the risks of data breaches and the accompanying fines.

What This Means for Counties

County employees who handle PHI should be trained on HIPAA regulations and protections. As a service to our members, CTSI offers a Training Library of relevant, curated films on a wide range of human resources, workplace safety, and other work-related topics at www.ctsi.org. If you would like to learn more about HIPAA, the Training Library offers two films, HIPAA Overview and HIPAA Crash Course. You may also contact our Loss Control department at 303 861 0507 for additional training resources. 

A PDF of this Technical Update is available here.

News & Updates

Technical Update vol. 26 no 39 - Fifteen-Passenger Vans

Fifteen-passenger vans allow counties to carry up to 15 people from one location to another, making them a convenient transportation option; however, their size and shape make these vehicles more […]

Read More
Technical Update vol. 26 no 38 - Pregnancy Leave and Nursing Rights of Employees

State and federal laws protecting workers from sex and gender discrimination prevent differential treatment of pregnant workers. Treating a worker differently on account of pregnancy may be a violation of […]

Read More
Technical Update vol. 26 no 37 - Understanding HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 with the primary goals of ensuring continuous health insurance coverage for people who have lost or […]

Read More
Technical Update vol. 26 no. 36 - How Secure is Your Data?

Personal data has increasingly become a target of hackers. Twitter, Target, and Yahoo are a few of the companies that have experienced data breaches that left their customers vulnerable to […]

Read More
August 2022: Sun Safety
Read More