If you’re a covered entity or a business associate, you’re required to follow HIPAA regulations to protect protected health information. For example, healthcare companies are covered entities and their web hosting companies are considered business associates.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 is a collection of rules for managing protected health information. For all who manage, store, use, or share protected health information (PHI), HIPAA compliance is mandatory.

HIPAA regulations are some of the most important data privacy regulations in existence and should be followed to the letter. People have a right to privacy and expect those in charge of their data to take privacy seriously.

If you’re bound by HIPAA, here’s why you should take your obligations seriously.

1. Nobody is immune from a data breach

Data breaches happen just about every day. Although major tech and financial companies are frequent targets, small businesses are most at risk. Hackers know small business owners don’t usually have strong cybersecurity and they are most vulnerable.

According to data published by Bentley University,  36% of targeted cyberattacks hit small businesses with 250 or fewer employees. What’s even scarier is that 69% of small businesses don’t have a plan to manage a cyberattack.

As a small business, an entrepreneur, or even a blogger, you’re at high risk for a data breach and need to have proper protective measures in place.

2. Data breaches come with hefty fines

You can be heavily fined for violating data privacy laws, including incident disclosure laws. For HIPAA violations, the minimum fine for willful violations is $50,000 and maxes out at $250,000. That’s per violation. You can also get up to one year in prison.

The largest data breach fines so far have been in the millions. For instance, Advocate Health Care was fined $5.55 million for three separate breaches beginning in 2013. One breach involved four stolen company laptops, the second was a lack of safeguard assurances from a business associate, and the third breach involved ePHI records stolen from an unlocked vehicle.

Other notable HIPAA fines include:

· $4.8 million paid by NY Presbyterian Hospital and Columbia University Medical Center in 2010.

· $4.3 million paid by Cignet Health of St. George County for denying patients access to their medical records between 2008 and 2009.

· $3.9 million paid by Children’s Medical Center of Dallas after an unencrypted Blackberry, iPod, and laptop were stolen.

· $3 million paid by Cottage Health for two breaches – one in 2013 and another in 2015 caused by a server misconfiguration.

3. Your business can be held liable

If you don’t follow HIPAA regulations, your business will likely be held responsible for a data breach. If you’re just a business associate, like a web host, you can almost count on being sued by the covered entity.

If your negligence or lack of adherence to HIPAA regulations caused the data breach, a lawsuit is inevitable.

4. Your boss can hold you responsible

Individuals working for a covered entity or business associate can be held liable for a data breach if their carelessness led to the breach. For example, someone who troubleshoots a database problem for a covered entity and ends up exposing protected health information (PHI) will probably be terminated from their job.

As an individual, you’re not exempt from following HIPAA regulations, even if your employer doesn’t have HIPAA-compliant rules in place. At any time, if your mistakes lead to a data breach, you can expect to be terminated.

5. Encryption won’t prevent a data breach, but it will prevent exposure

Part of HIPAA regulations require covered entities and business associates to take adequate measures to protect health data. While encrypting data isn’t required, it’s the only effective way to protect data.

Encryption is important because you can’t prevent all data breaches. In fact, most data breaches are caused by human error.

At some point, data will be stolen. However, encrypted data can’t be read by unauthorized parties without a decryption key. In other words, stolen data is useless to unauthorized parties when encrypted.

Instead of focusing all of your attention on preventing every possible breach, start encrypting your data at rest and in transit with end-to-end encryption. Preventing breaches is still important, but without encryption you’re always vulnerable.

However, encrypted data can be cracked, so make sure you only use software that doesn’t store encryption keys where hackers can get them, and make sure the encryption is high-level.

Data privacy matters

Perhaps the most important reason to follow HIPAA regulations is because data privacy matters. Nobody deserves to have their private information exposed to hackers who might use it for identity theft. It’s just not fair.

If you care about protecting other people’s privacy, take HIPAA regulations seriously. The consequences after a breach can be devastating.