HIPAA Is No Joke
How are you feeling about the state of your practice’s HIPAA compliance? Have you figured out whether your old practices comply with the stringent Omnibus Final Rule? Do you have a compliant Notice of Privacy Practices to give to patients? Have you performed (and documented in writing) a risk analysis and a risk management program? Have you updated your business associate agreements to satisfy the new rules?
You do know that the compliance deadline for the Final Rule was way back in September 2013, right?
And that penalties range up to $50,000 per violation with an annual limit of $1.5 million?
Just a few years ago, a nearby dermatology practice had to pay $150,000 in a settlement (plus ongoing oversight and mandatory compliance steps) for HIPAA violations. The cause? One of the practice’s thumb drives was stolen from a car.
I mention this one in particular not because of the size of the penalty. Many other enforcement actions have led to greater sanctions (here are a few examples). I bring it up because of why they got in trouble: “The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.”
In other words: Lack of risk assessment/risk management plan; lack of required written policies; and failure to do HIPAA training. All it took was losing a thumb drive.
HIPAA is no joke, and it’s long past time to get serious about compliance.
Okay, stop hyperventilating. Panic doesn’t help.
What you need to do is talk to a healthcare law firm with HIPAA compliance expertise. You’ll probably also need to engage a data security consultant with CISSP certification or similar.
Complying with HIPAA shouldn’t create an impossible hurdle, especially for a smaller practice. Yes, compliance will place significant demands on resources, time, and attention. It would certainly be easier to ignore the whole thing and get on with treating patients. But this is not an option. HIPAA, like gravity, is the law, and the penalties for non-compliance can be disastrous.
Contact our office today for assistance with HIPAA compliance issues.
Typewriter image via Wikimedia Commons