Medical practices that do not take proactive steps towards becoming HIPAA compliant do so with great risk, and sometimes are being misguided about a mandate to be compliant. Here are 12 common misconceptions about HIPAA you must be aware of:
1. “I can’t afford being compliant.”
Yes, you may need to spend money to bring your practice up to speed on HIPAA Compliance. If you think you can’t afford to implement what needs to be done in order to be so, do the math and think again: The HITECH Act substantially increased civil penalties for non-compliance with HIPAA Policies, from $25,000 a year to a whopping $1,500,000 a year (yes, there are two commas in that number) – per violation. Top that with willful ignorance or failure to comply resulting in mandatory investigations and penalties that can be started by any complaint, breach or discovered the violation.
2. “It can wait – my practice is too busy.”
September 23, 2013, compliance date has passed, so no, it cannot wait. All covered entities, including medical and physician practices, clinics and hospitals as well as their Business Associates must update their HIPAA policies, procedures, forms, Notices of Privacy Practices and otherwise implement the changes required by these regulations as soon as possible. Here are some key dates to keep things in perspective:
HIPAA Rules Key Dates:
- March 26, 2013: The new HIPAA Rules became effective.
- September 23, 2013: Covered entities must comply with most of the new Rules’ provisions.
- September 25, 2013: Disclosures of PHI become subject to the new restrictions on the sale of PHI.
- September 22, 2014: Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors.
3. “It only matters for larger organizations and serious breaches.”
New breach rules will increase the number of HIPAA violations that are determined to be Breaches. The recent federal Omnibus ruling expands the definition of a breach and failure to address it properly and provide proper notifications can trigger federal investigations and eventual fines and penalties.
4. “I am not a doctor, I should not worry about HIPAA compliance.”
With the recent Omnibus ruling, Business Associates are now required be HIPAA Privacy and Security Compliant, while Covered Entities are responsible for ensuring their BA’s are compliant.
5. “I am a doctor, my business associates HIPAA compliance is their problem.”
It is not just minding your own business anymore. With the recent Omnibus ruling, Business Associates are now required be HIPAA Privacy and Security Compliant, while Covered Entities are responsible for ensuring their Business Associates are compliant.
6. “There are so many healthcare practices, they can’t possibly police everyone!”
As recent public announcement from the Office of Civil Rights indicates, they are stepping up hiring for HIPAA compliance activities: the Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
OCR is seeking experience in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems.
7. “HIPAA rules are still new – enforcers are not ready.”
The Federal government has expanded the reach of HIPAA by enlisting State Attorney Generals. See HIPAA training program agenda for state Attorney Generals offered by Health and Human Services – on four live training sites.
8. “My staff and I know enough about HIPAA”.
Unless you attended training, you probably don’t. All clinicians and medical staff that access PHI must be trained on proper HIPAA procedures on a regular basis. In addition to being trained you also must keep proof: documentation of training that is provided is required to be kept for six years.
9. “It’s not going to happen to me”.
It’s an oldie but goodie. We all rely on the “it is not going to happen to me” mantra in life from time to time. Do you think people on HIPAA Breach List had the same idea? If you check the names on that list, and quickly multiply the number affected (i.e. “violation”) and do the math: #affected x $violation penalty = your patient’s trust broken, your bank account is emptied and you are out of business.
10. My Lawyer/Colleague/Computer guy tells me we don’t have to be compliant because of reason X.
Get a new lawyer, colleague, computer guy. If your practice has anything to do with patient data – even if it is just their phone number – you, your practice, and your business associates are accountable, and must be compliant, period.
11. “HIPAA Compliance is optional.”
If you manage Protected HIPAA Information (PHI), you must comply with federal HIPAA regulations or face substantial penalties for non-compliance. Consider this: if a Covered Entity chooses to accept Meaningful Use funding, a Security Risk Analysis is required and any funding will have to be returned if adequate documentation is not provided upon request. Bottom line: it is mandatory.
12. “OK, I am convinced… but I don’t know how to go about HIPAA compliance, I’ll never get ready!”
Don’t worry. That’s what we are here for – not just us at powersolution.com – but many trusted IT companies and advisers. If your computer support company cannot give you a solid answer on what needs to be done with your practice to make it HIPAA compliant, search for a reputable IT company in your area.
Our IT Solutions for Doctors Office: Overview
- Managed IT Support Services – 24/7/365 remote monitoring
- IT Service Plans – onsite, remote and virtual computer network tech support
- Hardware and Software management and upgrades
- Virus, spyware and security protection for your computers and servers
- Complete support and solutions for your practice
- HIPAA/HITECH Compliance and Tech Support services
Give us a call now at (855) 551-7760 x 311 – your Computer Network will thank you!
If you are located in New Jersey or NJ NY area and are looking for Managed IT services and Computer Support for your Medical Practice – look no further: we are here to provide your medical practice with reliable IT Support.