HIPAA enforcement has begun exposing all types of covered entities -- including physicians' offices -- to civil and criminal penalties if proper administrative, technological and physical controls to protect privacy and security are not followed. AAP News & Journal recently reported that private practices are the most common type of covered entities required to take corrective action to achieve voluntary HIPAA compliance.
If the Office of Civil Rights (OCR) investigates and identifies violations, the covered entity may be required to take one or more of the following actions: implement a voluntary compliance program or enter into a resolution agreement (a contract signed by the covered entity and OCR, obligating the entity to perform various compliance-related tasks and submit to monitoring for up to three years). Corrective action plans specifying how the compliance plan will be implemented often accompany the resolution agreement.
Fines are imposed in some cases, and criminal penalties occur in extreme situations. The following are examples of recent HIPAA enforcement actions:
A 12-physician pediatric and adult dermatology practice group paid $150,000 for alleged HIPAA violations arising out of a lost, unencrypted flash drive containing protected health information (PHI). The group also was required to implement a corrective action plan.
A five-physician cardiology group reached a $100,000 settlement as a result of a multiyear, ongoing failure to comply with the HIPAA privacy and security requirements by posting clinical and surgical appointments for patients on a publicly accessible internet-based calendar. The practice had failed to implement even the most basic HIPAA requirements, such as adopting policies and procedures to safeguard patient information appropriately.
An orthopedic clinic failed to execute a business associate agreement prior to turning over 17,300 patients’ PHI to a potential business partner. The settlement included a monetary payment of $750,000 and a comprehensive corrective action plan.
When determining penalties, the OCR takes into account the length of time a violation persisted, the number of people affected, the nature of the PHI exposed and the organization´s willingness to assist with the investigation. Practices must have HIPAA privacy and security compliance programs in place. They also must conduct periodic internal risk assessments to reveal gaps and address them.
Conducting "business as usual" is no longer a prudent option and leaves you wide open to investigations and fines. HIPAAcraticRx works with your practice to minimize your risk and vulnerability. HIPAAcraticRx guides practices along a 5-step path, from their current state, to one of managed HIPAA compliance. Each step progresses toward the end goal, forging a solid foundation of privacy, security, trust and integrity.