How may we help you? 617-935-3272

How may we help you? 617-935-3272

Blog, Uncategorized

HIPAA Compliance — Are You In?

HIPAA Is No Joke

Ezra in suit thumbnailHow are you feeling about the state of your practice’s HIPAA compliance? Have you figured out whether your old practices comply with the stringent Omnibus Final Rule? Do you have a compliant Notice of Privacy Practices to give to patients? Have you performed (and documented in writing) a risk analysis and a risk management program? Have you updated your business associate agreements to satisfy the new rules?

You do know that the compliance deadline for the Final Rule was way back in September 2013, right?

And that penalties range up to $50,000 per violation with an annual limit of $1.5 million?

Just a few years ago, a nearby dermatology practice had to pay $150,000 in a settlement (plus ongoing oversight and mandatory compliance steps) for HIPAA violations. The cause? One of the practice’s thumb drives was stolen from a car.

I mention this one in particular not because of the size of the penalty. Many other enforcement actions have led to greater sanctions (here are a few examples). I bring it up because of why they got in trouble: “The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.”

In other words: Lack of risk assessment/risk management plan; lack of required written policies; and failure to do HIPAA training. All it took was losing a thumb drive.

HIPAA is no joke, and it’s long past time to get serious about compliance.

Okay, stop hyperventilating. Panic doesn’t help.

What you need to do is talk to a healthcare law firm with HIPAA compliance expertise. You’ll probably also need to engage a data security consultant with CISSP certification or similar.

Complying with HIPAA shouldn’t create an impossible hurdle, especially for a smaller practice. Yes, compliance will place significant demands on resources, time, and attention. It would certainly be easier to ignore the whole thing and get on with treating patients. But this is not an option. HIPAA, like gravity, is the law, and the penalties for non-compliance can be disastrous.

Contact our office today for assistance with HIPAA compliance issues.

 

Typewriter image via Wikimedia Commons

2 Comments
  • MD Nestor
    8:31 PM, 27 June 2014

    I have a few questions on this. First, if a practice is not yet in compliance, is there an advantage to informing the govt as to what steps we are taking toward compliance, to show that we are headed in that direction?

    Second, do we need a business associate agreement with a company that shreds old records?

    Third, is there insurance available to cover HIPAA breaches?

    Thanks for your thoughts

    N

    • Ezra
      3:07 AM, 13 July 2014

      Let me take these questions in order.

      1. You do have an affirmative responsibility to self-report any breaches of unsecured protected health information (PHI). For a summary of the relevant obligations and procedures, you might start here.

      But if you can confirm that there has been no breach as a result of noncompliance, I am not aware of an affirmative responsibility to inform OCR or HHS. I would recommend getting into compliance as rapidly as possible. Document all progress as you go. It can be difficult and expensive, but it is not meant to be an impossible task for any covered entity. In case of an audit, it is better to be able to show that you have been assiduously working toward compliance. Do not just stick your head in the sand and hope for the best.

      2. Yes!

      3. There is HIPAA breach insurance. You might want first to review your current errors and omissions (E&O) or directors and officers (D&O) insurance. The policy may already protect against HIPAA breaches. I recommend that you contact your insurance broker and ask about your options.

      Give me a call if you need help with any of this. Thanks for the questions.

Leave a Reply

Your email address will not be published.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Call Now