Medical documentation is vital to the work of law firms and insurance companies. Law firms, for example, use medical records to win medical malpractice lawsuits and other personal injury cases. Companies that offer health insurance rely on medical records to evaluate an applicant’s risk profile.
Law firms and insurance companies obtain medical records so often that many of them consider partnering with a record retrieval provider. But before they do, they must make sure their potential provider’s record portal is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Here are the reasons why:
Medical records are protected under HIPAA
In the United States, HIPAA safeguards protected health information (PHI) from being disclosed without the patient’s consent or knowledge. PHI is any past, present, or future healthcare information that can be used to identify an individual, such as:
- Physical health or condition of a patient
- Healthcare treatments rendered to a patient
- Details of payment for the healthcare services rendered to a patient
Under HIPAA, any person or entity that uses or discloses PHI on behalf of a covered entity (i.e., health plan providers, healthcare clearinghouses, and healthcare providers) must also secure PHI. Therefore, law firms and insurance companies should have HIPAA-compliant safeguards in place if they use medical records. If they work with record retrieval providers, then their provider should also comply with HIPAA regulations.
HIPAA requires three types of safeguards to be implemented:
- Administrative – Policies and procedures that help protect against a breach (e.g., employee training, background check)
- Physical – Measures that ensure data is physically secure (e.g., surveillance cameras, locked doors)
- Technical – Technology and related policies that protect data from unauthorized access.(e.g., NIST encryption standards, access controls)
Related reading: Security measures to look for in your record retrieval provider
HIPAA noncompliance can be expensive
A HIPAA violation, even if it doesn’t involve or lead to a data breach, can still result in penalties — the amount of which depends on the level of negligence:
- Violation attributable to ignorance: $100–$50,000 per incident
- Violation that occurred despite reasonable vigilance: $1,000–$50,000 per incident
- Violation due to willful neglect that is corrected within 30 days: $10,000–$50,000 per incident
- Violation due to willful neglect that is not corrected within 30 days: $50,000 per incident
If a breach occurred, the financial consequence for HIPAA violation will also factor in the number of records potentially exposed by the breach and the risk posed by the unauthorized disclosure.
For example, health insurer Anthem paid a $16 million settlement after a series of targeted cyberattacks in 2015 left close to 79 million customer records exposed. The Office for Civil Rights Director Roger Severino said, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
Record Retrieval Solutions (RRS) strictly complies with HIPAA
When you partner with RRS, you are guaranteed secure online access to our record portal. We implement multiple, HIPAA-compliant measures such as:
- Use of only US-based servers
- 128-bit SSL site encryption
- 256-bit AES data encryption
- User login and passwords
- Java-based anti-URL phishing measures
With all of these safeguards in place, you can rest assured that all records entrusted to us will remain private and protected.
Ready to let RRS handle your medical records retrieval? Contact us today.