When Do You Need a HIPAA Privacy Policy?

James Chiodo, Certified Information Privacy Professional CIPP/US

The Internet has changed the way we do business. The increased visibility, broader customer base, and ease in communication also bring various legal and procedural safeguards that must be in place on your website. These safeguards not only protect you as the business owner, but also your customers.

Depending on what type of website you have, you may require specific disclaimers and legal language to minimize your liability and stay in compliance with governmental agencies that monitor online businesses.

While almost every website requires a terms-of-use agreement and privacy policy, not every website will require a HIPAA privacy policy. A HIPAA privacy policy is required for websites of doctors, hospitals, insurance companies, medical information clearinghouses, and other entities that collect health information from individuals or organizations.

Congress enacted The Health Insurance Portability and Accountability Act (HIPAA) in 1996 to address the privacy and security of medical data. The purpose of the HIPAA privacy rule is to provide federal protection for personal health information and give healthcare patients certain rights when it comes to their own information.

A covered entity is one that has access to medical information, including website owners, healthcare facilities, doctors, and insurance companies. If you are an employer that has any health clinic services available to your employees, provides any type of self-insurance health plan, or acts as an intermediary between employees and their health care providers, you could be handling information that is governed by HIPAA provisions.

The Department of Health & Human Services governs this area of law and has set strict standards and requirements for covered entities to follow. In order to be in compliance, you must have policies and procedures in place that meet HIPAA requirements, including having a privacy agreement and providing affected parties a copy of your privacy practices. A HIPAA privacy policy explains how you will handle any health information provided to you and is a necessary component of staying in compliance with HIPAA regulations.

Failure to adhere to HIPAA guidelines can result in serious penalties: up to $100 a day for every day that you are not in compliance. These fines have a maximum of $25,000 per year, per violation. If only two standards were not adhered to for a single person, the violation could result in a maximum penalty of $50,000 a year. Criminal penalties can bring up to ten years in prison, or even more if the violations are proven to be motivated by financial gain.

Using a HIPAA privacy policy and disclaimer is a small investment that can potentially save you thousands of dollars. Protecting your business and website is too important to take short cuts.

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More