HIPAA Has Teeth and They are Long and Sharp – Don’t Get Bitten
The HIPAA security and privacy laws have been around for a while now and the HITECH amendments that significantly expand the scope of HIPAA have also been out for more than two years. It appears that the honeymoon and grace periods for compliance are over. Organizations in breach of HIPAA are feeling the harsh bite of HIPAA HITECH penalties in excess of $1 million dollars.
Cases In Point
In the most recent and second largest example to date, the Medicaid agency of the Alaska Department of Health and Social Services (DHSS) has had to pay $1.7 million dollars to settling possible violations of the HIPAA privacy rule and has agreed to take corrective action. Why? Simply because a portable hard drive with PHI from about 2000 people was stolen from an employee’s car. This breach and the follow up investigation which showed that the DHSS did not have adequate policies in place to meet HIPAA standards for protecting patient privacy as required by the HIPAA Security Rule.
The latest example to date was CVS Caremark Co. They had to pay $2.25 million dollars in 2009 for disposing of PHI in a dumpster. Blue Cross, Blue Shield of Tennessee paid $1.5 million dollars in 2012 for having 57 encrypted hard drives, containing the PHI of over 1 million people, stolen.
Yes, This Means You
These are just the 3 largest examples of a HIPAA breach for the actual disclosure of PHI which had significant repercussions:
- Large monetary fines
- Bad publicity — as HIPAA HITECH requires that all significant breaches be reported to the media and that the affected parties be notified
- Criminal penalties due to willful neglect. If you ignore it, you are in trouble.
Even if you are a small organization, you may have the PHI of many individuals under your care. If you have to follow HIPAA regulations (e.g. because you are explicitly a Covered Entity, or because you are a vendor to Covered entities), you must follow the HIPAA guidelines as pertains to all of the PHI in your possession. The cost and effort involved are insurance against any future issues. Even in the worst case scenario where a breach happens, you will be much less liable if you are making best efforts to follow HIPAA and protect the data than if you are ignoring HIPAA.
Outsourcing for Inexpensive Compliance
With all of the requirements implicit in following HIPAA, many organizations find it much simpler to outsource aspects of their operations to vendors specializing in HIPAA compliance. These vendors typically specialize in and have expertise in a certain area, such as email, and are much more likely to handle information in a compliant way vs. a harried IT department that does not specialize in HIPAA and which is beholden to the often unrealistic requirements of other departments. Such requirements, while they may streamline business operations, may not meet HIPAA guidelines or may at best make compliance tenuous and very much risk someone “making a mistake”. With HIPAA, you don’t want to let your employees have the chance to “make a mistake” if at all possible.