This is the amount in financial penalties paid for HIPAA violations in 2018.
Of that amount, Anthem Inc. paid the U.S. Department of Health and Human Services (HHS) $16 million, following a data breach in 2015. This breach exposed the electronic Protected Health Information (PHI) of 78.8 million of its members.
Anthem’s settlement is currently the largest HIPAA settlement fine levied, but other healthcare entities have reached resolution agreements for HIPAA violations ranging from disclosing PHI to unknown vendors to failing to terminate an ex-employees’ access to electronic medical records.
Despite this, an average of 12,600 HIPAA compliance complaints are still received every year.
Maintaining HIPAA compliance can be complex and many medical practices are breaching HIPAA laws without realizing it.
HIPAA penalties range from fines of $100 to $50,000 per violation, capped at $1.5 million for violations of the same standard. Some cases can lead to civil and criminal penalties resulting in jail time for violators.
These days, data protection is more complex than locking patient files in cabinets. As medical practices require the use of technology and third-party vendors to grow, it’s now easier for healthcare data to be stolen, and misused.
You and your employees must understand what HIPAA is and how you can stay compliant.
Why Comply with HIPAA
The Health Information Portability and Accountability Act (HIPAA) sets a national standard for the safe protection of health care information, whether it’s physical or electronic.
The PHI is any personally identifiable information that can be used to identify a patient. This can include patient’s name(s), address, SSN, medical record numbers, account number, even biometric identifiers like finger and voice prints.
Protecting this information should be a walk in the park, right?
These days, PHI is constantly changing. PHI is exchanged between your office staff, treating physicians, pharmacies, insurance companies, even the patients themselves.
To maintain the safety of patient data, strict and clear protocols must be instated, to comply with HIPAA laws.
Who Must be HIPAA Compliant?
Under HIPAA, there are two groups that must be HIPAA compliant.
- Covered Entities: Businesses and individuals that create, receive, or transmit PHI. They include health care providers, health insurance plans, health care clearing houses.
- Business Associates: Any organization contracted by a covered entity, that receives, maintains or transmits PHI. These include practice management, document shredding companies, IT service providers, cloud or physical storage vendors, email encryption services, law firms, billing companies etc.
When you look at how many different entities come in contact with PHI, you can see how difficult it is to maintain patient data security and privacy. Any one of these third-party service providers can trigger a HIPAA violation.
What is considered a HIPAA Violation?
Some of the most common HIPAA violations include:
- Employee disclosure of PHI.
- Lack of training on your practice’s HIPAA policies and procedures.
- Delayed breach notification when a data breach occurs.
- Improper disposal of documents carrying PHI.
- Failing to encrypt electronic PHI.
- Failing to enter a HIPAA-compliant business associate agreement (BAA).
These violations may appear easy to avoid, but the amount of medical practices failing to protect their PHI, tells a different story.
- For example, a dermatology practice lost a flash drive containing PHI, and was subsequently fined $150,000.
- Or the physical therapy provider who was charged with impermissibly disclosing PHI without authorization. The provider settled to the tune of $25,000.
It’s not all gloom and doom, as staying compliant of HIPAA rules is possible.
Becoming HIPAA Compliant
Here are seven steps you can use as a HIPAA compliance checklist for your practice:
- Start with a thorough risk assessment to identify where your weaknesses are. Next, develop a remediation plan to address any identified shortcomings.
- Be proactive and stay abreast of the most recent HHS guidelines, by signing up for updates from the site.
- Review and update your training materials annually. This allows you incorporate any recent HHS updates into your manual. You should also document all the efforts it’s taken to become HIPAA compliant. This documentation is important to have, if you ever face a HIPAA investigation with the HHS.
- Implement safeguards like password protection and encryption to access patient-specific information on all computers, laptops, and devices.
- Establish a plan for safe and secure disposal of paper, electronic devices and media when they are no longer needed.
- Schedule annual compliance HIPAA training for your staff. This is one of the simplest ways to avoid a violation; you’ll be surprised at how many practices leave patient information unattended.
- Ensure signed Business Associate Agreements from all third-party providers, partners, or contractors. This includes the software you use; only use HIPAA–compliant software to manage PHI.
- This may seem like a lot of steps, but it’s simply getting the most critical processes in place. Who knows, these may be the processes that save you from a hefty HIPAA fine.
It’s astonishing to see how many medical practices work with third-party businesses without having a business associates agreement in place.
If you (the covered entity) don’t get a written business associate contract with the business associate, that establishes exactly what the business associate has been engaged to do and also requires them to protect the privacy and security of protected health information, it’s your practice that will be handed a hefty fine.
I can’t stress this enough, BAAs are not optional; make sure they’re signed before you share any protected health information.
Sadly, many unscrupulous vendors claim to be HIPAA-compliant just to get a contract. This can put your medical practice at risk, if you’re investigated by the Office for Civil Rights (OCR).
Failing to vet a contractor and enter a HIPAA-compliant business associate agreement with a contractor that maintained ePHI on it’s behalf, led to Cottage Health getting fined $3 million in 2018.
For practices that aren’t fazed by hefty fines, consider these hidden costs of breaches; increased insurance premiums and the compulsory customer notification that leads to loss of trust.
Is it really worth gambling with your hard-earned reputation?
At 7figureclinic, we don’t think so.
We know how valuable your good name and reputation is to you, that’s why we ensure there’s a signed business associate agreement in place before working with you to grow your medical practice.
We’ve helped hundreds of medical practices increase their output and revenue without rising costs, and more importantly without triggering a HIPAA fine.
Want to learn what we can do for you?