Non-compliance is an invitation for severe fines and penalties.

We have all heard of HIPAA, the acronym for Health Insurance Portability and Accountability Act. We understand it is the duty of health care providers to protect the confidentiality, integrity and security of electronic medical data.

HIPAA Impacts More Than Health Care Companies

Protected health information may also be viewed by other non-health care organizations that perform functions for the health care industry. These types of businesses are called business associates, and they also must abide by HIPAA. They may include transcriptionists, shredding companies, billing services, and cloud-computing companies like Google or Amazon. They could be copying and printing shops, or even a one-person business that helps a law firm collect data for a legal case.

Whether you have been operating a health care business for a while, are starting a new practice, or have recently discovered you are a business associate, you may feel inundated by heavy industry regulations. Although HIPAA has been around since 2003, thanks to recent legislation and rule changes, small providers have seen stepped up enforcement for breaches of confidentiality, and some have had to pay fines of $50,000 or more.

HITECH Extends HIPAA

HIPAA’s privacy and security rules were published in final form in 2001 and 2003, respectively.  At that time, many providers worked hard to become compliant.  In February 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Healthcare Act (HITECH).  HITECH introduced sweeping reforms to the original HIPAA regulations, especially concerning how HIPAA can now be enforced and who can enforce the original regulations.

HITECH also expanded the scope and number of entities that are now subject to the original regulations, expanded who is now subject to the criminal penalties, changed the civil penalties from $100 per violation to as much $50,000, and changed the max penalty from $25,000 to $1,500,000.  Further, in January 2013, the Department of Health & Human Services (DHHS) published into the Federal Register the Omnibus Rule Change, which was touted by DHHS as the most sweeping changes to the Privacy and Security Regulations since their inception.  Indeed, the Omnibus Rule went into effect in March 2013 and gave providers only 180 days to comply with the changes and deadlines imposed by the change.

Non-Compliance Mistakes

Time and again health care businesses and business associates are non-compliant in the same four categories, as noted by Office of Civil Rights test audits:

1. Lack of an updated or written Risk Analysis.
2. Lack of written policies and procedures.
3. Lack of workforce training on HIPAA.
4. Lack of documentation proving enforcement of policies and procedures.

In nearly every case, providers have paid big fines because they did not have comprehensive written policies and procedures in place. When it comes to HIPAA, if it is not in writing it is NOT!

In most, if not all, of these instances, companies could have avoided fines and financial losses if they had consulted with a professional to help guide them through the regulations. A gap analysis can be performed to help determine what gaps in compliance exist and the best way to bridge those gaps. The next step is to perform and document the risk analysis. That points to which policies and procedures will be implemented and what the workforce will be trained on. Those policies must be enforced. It is much easier to take the defense of “Unavoidable Employee Misconduct” versus “Blatent Willful Neglect of the Law.”