10 REASONS for HIPAA COMPLIANCE
Physician practices that do not take
proactive steps towards becoming HIPAA compliant do so at their peril. Here are
our "Top Ten" reasons why you need to be compliant:
1. While
the Meaningful Use Incentives are optional, HIPAA compliance is not
If you manage Protected HIPAA
Information (PHI), you must comply with federal HIPAA
regulations or
face substantial penalties for non-compliance. It is as simple as that! Furthermore, if a
Covered Entity chooses to accept Meaningful Use funding, a Security Risk Analysis is
required and any funding will have to be returned if adequate documentation is
not provided upon
request.
2. The
HITECH Act substantially increased civil penalties for non-compliance with
HIPAA
Policies
The penalty cap for HIPAA violations
was increased from $25,000/year to $1,500,000/year per violation. And
willfully ignoring or failing to be compliant means mandatory investigations
and penalties that can
be started by any complaint, breach or discovered violation. See the document published
by the American Medical Association (AMA) http://www.ama-assn.org/resources/doc/washington/hipaa-omnibus-final-rule-summary.pdf for further information.
3. The
mandated deadline for the new HIPAA compliance rules has already passed
All covered entities, including
physician practices, clinics and hospitals and Business Associates must update their
HIPAA policies, procedures, forms, Notices of Privacy Practices and otherwise
implement the changes required by these regulations as soon as possible, if
they were not in place
by the September 23, 2013 compliance date.
4. New
breach rules will increase the number of HIPAA violations that are determined
to
be
Breaches
The recent federal Omnibus ruling
expands the definition of a breach and failure to address it properly and
provide proper notifications can trigger federal investigations and eventual
fines and penalties.
5.
Business Associates are now required to become HIPAA compliant
With the recent Omnibus ruling,
Business Associates must also be HIPAA Privacy and Security Compliant and Covered Entities are responsible for ensuring their
BA's are compliant.
6. The
Office of Civil Rights (OCR) is expanding its health information privacy
enforcement
team
As recent public announcement from
the Office of Civil Rights indicates, they are stepping up hiring for HIPAA
compliance activities:
"The Division of Health Information Privacy enforces
the HIPAA Privacy and Security Rules and the confidentiality provisions of the
Patient Safety and Quality Improvement Act. OCR is seeking experience in
privacy and security compliance and enforcement as well as in the areas of
policy, outreach, and health information technology systems. For more
information on these positions, go to http://www.usajobs.gov/ and enter the
corresponding job announcement number."
7. State
Attorney’s General are getting involved in HIPAA Enforcement
The Federal government has expanded
the reach of HIPAA by enlisting State Attorney's General. See
HIPAA training program agenda for state AG's offered by Health and Human Services - http://www.hhshipaasagtraining.com/agenda.php
8. All
Covered Entities must have documented policies and procedures regarding HIPAA
compliance
Recently, a dermatology practice
learned this lesson the hard way by paying a $150,000 fine, plus implementing
a corrective action plan "for not having policies and procedures in place
to address the breach
notification provisions of the Health Information Technology for Economic and Clinical
Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).”
For further details, see http://www.hhs.gov/news/press/2013pres/12/20131226a.html
9. HIPAA
Compliance Requires Staff Privacy and Security Training
All clinicians and medical staff
that access PHI must be trained on proper HIPAA procedures on a regular basis.
Documentation of training that is provided is required to be kept for six
years.
10.
Protect Your Practice - Don't be another one of these
Unfortunately, the list of
healthcare organizations reporting major breaches and receiving substantial
penalties is growing at an alarming rate. Keep your practice off the list of
HIPAA Breach - http://www.hipaabreachlist.com/
