Although, your healthcare practice administrator has “downloaded” forms and procedures from the Internet or hired a “consultant” to implement a procedure you don’t understand, you are not compliant without taking the full HIPAA journey to complete compliance and peace of mind.
The Office of Civil Rights (OCR) began Phase 2 audits in fall of 2014 that will continue well into 2015-2016. Be prepared by making sure you carefully conduct due diligence and have your office procedures in place. OCR’s Phase 2 audits will focus on covered entities and the following three areas:
- Security risk analysis and management,
- Breach notifications, and
- Privacy notices and access issues.
OCR’s focus will shift to business associates (BA’s), particularly in security risk analysis and management and breach reporting for covered entities. Covered entities themselves will be audited on device and media controls, transmission security, privacy safeguards, and training. Finally, in 2016 OCR audits will shift again to encryption and decryption, facility access controls, and other areas of high risk that were identified during the pilot phase.
Most healthcare covered entities ask these questions “Why should I care about the audits?” Below are the potential penalties for non-compliance with HIPAA:
- The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations.
- The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect.” Reasonable Cause penalties ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
- Criminal Liability: Covered entities, Business Associates and specified individuals whom “knowingly” obtain or disclose individually protected identifiable health information (PHI) face a fine of up to $50,000, as well as imprisonment up to one year. Additionally, offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years. Finally, HHS allows State Attorney Generals to also enforce HIPAA both civilly and criminally.
- Violators can also face lawsuits and there is no limit to how much that could cost in dollars and reputation. Loss of clients, loss of credibility and even loss of medical licensure or accreditation can ruin medical practices.
Being proactive can alleviate many issues: monetary loss, credibility, and reputation destruction. Conduct your healthcare due diligence well in advance of an OCR surprise audit (virtual or otherwise). Safeguard your organization preemptively by making sure the HITECH rules are met and are well-documented, before your organization is singled out for an OCR audit!