According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:
Is there a signed business associate agreement with each business associate?
Do you encrypt protected health information (PHI)?
Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?
Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?
Do you have a written policy for ascertaining and reporting a security breach?
Do your policies cover everything you do with PHI?
Do you really do things consistently with your existing policies?
There are many more factors that should be carefully reviewed and evaluated. The stakes are high. Fines and penalties are harsh, to say the least. The maximum penalty for a HIPAA violation is now $1.5 million.
Many providers and other health care businesses have already learned this reality the hard way. HITECH requires that HHS post a list of offenders and their breaches of unsecured PHI affecting 500 or more individuals online. A review of this list and its descriptions of the HIPAA offenses should be informative (and motivating) to anyone in a health care business.
Kevin Little is a Georgia and South Carolina Health Care attorney who represents physicians, physician groups, ambulance service providers, nursing homes and other health care providers and businesses. Our business practice is focused on health care issues. We have an office in downtown Augusta, Georgia and midtown Atlanta. Contact us at (706) 722-7886 or (404) 685-1662 to schedule a confidential consultation.
*Disclaimer: Thoughts shared here do not constitute legal advice.