I recently came across an article that highlighted a five doctor, Arizona based cardiac surgery practice, that was fined $100,000 by the Division of Health and Human Services (HHS) for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
The small firm was keeping their patient appointment calendars on a public accessible calendaring system. A concerned patient notified the HHS about this, and after their investigation, they found that the firm was not only using a public facing calendaring system, but had taken no actions to comply with the regulations outlined by HIPAA Privacy and Security Rules since the regulations were implemented in 2003 and 2004, respectively.
Due to the violations, the firm agreed to pay a $100,000 fine
as well as correct any issues within their practice so they can
become HIPAA Privacy and Security Rules compliant.
Can you afford to pay a fine today?
The common belief here is that smaller medical practices will not be targeted for HIPAA Privacy and Security Rules compliance audits. As the articled outlined, this is no longer the case. Leon Rodriguez, director of the HHS Office of Civil Rights says that “we hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
How to become HIPAA Privacy and Security Rules compliant
Many steps can be taken in order to move toward being compliant. The first thing to do is to reach out to your IT provider and see what they have done to ensure you are compliant. Get written documentation explaining exactly what steps have been taken to help ensure your compliance. Your IT provider can help ensure that you have an adequate firewall in place at your facility. They can also setup procedures to ensure that all Personal Identifiable Information (PII) is encrypted if stored in a database and any emails containing PII are encrypted before they leave the facility.
At the practice, create formal HIPAA policies. The changes that you make in your office should be documented procedures. Each employee should have a handout to reference in case he needs clarification. Also, hold regular education seminars for staff to review HIPAA procedures and policies. This will ensure that all staff is reminded of how to stay in compliance with this important HIPAA Privacy and Security Rules laws.
If the correct steps are taken and a small investment in time and money are made, medical practices can ensure that they are on the right track to meet any HIPAA Privacy and Security Rules compliance and avoid costly fines and investigations.
Resources used: http://www.ama-assn.org/amednews/2012/04/30/bisd0502.htm