HIPAA Is No Joke
How are you feeling about the state of your practice’s HIPAA compliance? Have you figured out whether your old practices comply with the stringent Omnibus Final Rule? Do you have a compliant Notice of Privacy Practices to give to patients? Have you performed (and documented in writing) a risk analysis and a risk management program? Have you updated your business associate agreements to satisfy the new rules?
You do know that the compliance deadline for the Final Rule was way back in September 2013, right?
And that penalties range up to $50,000 per violation with an annual limit of $1.5 million?
Just a few years ago, a nearby dermatology practice had to pay $150,000 in a settlement (plus ongoing oversight and mandatory compliance steps) for HIPAA violations. The cause? One of the practice’s thumb drives was stolen from a car.
I mention this one in particular not because of the size of the penalty. Many other enforcement actions have led to greater sanctions (here are a few examples). I bring it up because of why they got in trouble: “The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.”
In other words: Lack of risk assessment/risk management plan; lack of required written policies; and failure to do HIPAA training. All it took was losing a thumb drive.
HIPAA is no joke, and it’s long past time to get serious about compliance.
Okay, stop hyperventilating. Panic doesn’t help.
What you need to do is talk to a healthcare law firm with HIPAA compliance expertise. You’ll probably also need to engage a data security consultant with CISSP certification or similar.
Complying with HIPAA shouldn’t create an impossible hurdle, especially for a smaller practice. Yes, compliance will place significant demands on resources, time, and attention. It would certainly be easier to ignore the whole thing and get on with treating patients. But this is not an option. HIPAA, like gravity, is the law, and the penalties for non-compliance can be disastrous.
Contact our office today for assistance with HIPAA compliance issues.
Typewriter image via Wikimedia Commons
MD Nestor
I have a few questions on this. First, if a practice is not yet in compliance, is there an advantage to informing the govt as to what steps we are taking toward compliance, to show that we are headed in that direction?
Second, do we need a business associate agreement with a company that shreds old records?
Third, is there insurance available to cover HIPAA breaches?
Thanks for your thoughts
N
Ezra
Let me take these questions in order.
1. You do have an affirmative responsibility to self-report any breaches of unsecured protected health information (PHI). For a summary of the relevant obligations and procedures, you might start here.
But if you can confirm that there has been no breach as a result of noncompliance, I am not aware of an affirmative responsibility to inform OCR or HHS. I would recommend getting into compliance as rapidly as possible. Document all progress as you go. It can be difficult and expensive, but it is not meant to be an impossible task for any covered entity. In case of an audit, it is better to be able to show that you have been assiduously working toward compliance. Do not just stick your head in the sand and hope for the best.
2. Yes!
3. There is HIPAA breach insurance. You might want first to review your current errors and omissions (E&O) or directors and officers (D&O) insurance. The policy may already protect against HIPAA breaches. I recommend that you contact your insurance broker and ask about your options.
Give me a call if you need help with any of this. Thanks for the questions.