If your business has any contact with electronic health records or medical information, HIPAA compliance should be on your mind. This includes the obvious medical professional organizations, as well as businesses like insurance agencies, information technology providers and many others.
The consequences of not following HIPAA regulations can threaten to dismantle the very business you worked on creating.
Here are eight reasons every business should care about HIPAA compliance:
1. The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for noncompliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Any complaint, breach or discovered violation can initiate mandatory investigations.
2. New breach notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. The breach and failure to report it can trigger federal investigations and eventual fines and penalties, which can in turn financially cripple a business from running to its best ability.
3. All covered entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, Mass., learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address privacy, security, and breach notification rules.
4. Business associates are now required to be compliant with HIPAA privacy and security rules. Covered entities (health care provider, health care plan or health care clearinghouse) are responsible of holding this standard toward their business associates (a person or entity that performs certain functions that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity) through a business associate agreement, which lays out the permitted and required uses of protected health information.
5. While meaningful use incentives for electronic health records (EHR) are optional, HIPAA compliance is not. If you manage protected health information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a covered entity accepts meaningful use funding, a security risk analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.
6. The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities, calling for professionals with experience in privacy and security compliance and enforcement.
7. HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and retrained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.
8. Protecting your practice means protecting your reputation. The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. It has reached a point where there is a large risk in losing so many clients that a business is unable to bounce back.
In order to avoid the violations above, it is important to sign a business associate agreement with all partners, as well as implement regular internal training for every employee that comes into contact with health care documents. This agreement lays out the business associate’s obligations and activities, as well as the permitted uses and disclosures.
If this step is not taken, the consequences of a health care-related data breach can include not just civil and criminal penalties but also damage to your company’s reputation.
Date: August 24, 2014