NEWS FROM THE EDGE

Tech Tips and Advice from the Experts at Dynamic Edge

Are you at risk for a HIPAA Violation?

HIPAA-PenaltiesAre You Aware of HIPAA Penalties?

The Health Insurance Portability and Accountability Act (HIPAA) has established rules protecting individual identifiable health information and safeguards to maintain confidentiality, integrity and availability of protected health information (PHI). HIPAA non-compliance isn’t something you can ignore, as in-compliance can come with severe penalties and consequences.

It doesn’t matter what healthcare sector your business falls into—if you store medical records or patient data, you may be violating HIPAA compliance if you aren’t taking certain data security precautions. With hacking and data breaches are at an all-time high, I want to make sure everyone understands how serious HIPAA consequences can be.

HIPAA Fines Are Expensive! Failure to comply with HIPAA requires can result in both civil and criminal penalties, let alone public reputation. For each of these violations, your business should anticipate getting up to $50,000 fine per violation with a maximum annual penalty of $1.5 million! And did you realize that HIPAA has the authority to exclude your business from receiving Medicare benefits?

The HHS (Health and Human Services) has the authority to exclude your participation in Medicare if you are not compliant to HIPAA standards!

Realize that HIPAA violations can cause you more pain than just on your wallet. As with HIPAA civil penalties, there can also be severe criminal punishments. If someone on your team “knowingly” obtains and discloses individually identifiable health information, they face up to a $50,000 fine and one year imprisonment. Offenses committed under false pretenses may lead to 5 years in prison and $100,000 fine. And if someone had an intent to sell the information for commercial advantage, personal gain or malicious harm, they face a quarter million dollar fine.

And your definition of “knowingly” committing an offense may not line up with the Department of Justice’s (DOJ) definition. The DOJ will penalize anyone who had knowledge of offending actions—that means to be held guilty, you don’t need to have specific knowledge of the offenses, simply that they took place!

But oftentimes, you likely have no idea you’re in violation. That Doesn’t Matter! HIPAA clearly states that even unknowing parties are responsible. And there are a surprising number of ways that you may “unknowingly” be forking over personal health data.

  • Opt In Email—realize that electronic protected health information and email don’t mix well, unless you have HIPAA-compliant email provider with a signed Business Associate Agreement with your organization. Even if you have HIPAA-compliant email, most times, your email is opt in, which is inherently insecure. With opt in email, the sender needs to explicitly designate encryption before sending. The problem with this type of system, is that time and time again, senders forget (or don’t even think to!) encrypt their sensitive emails.
  • Sending Text Messages—medical professionals, frequently text each other and patients. Realize that using your regular phone texting system is in violation of HIPAA. Instead, you need a HIPAA-compliant secure chat application (which also has a Business Associate Agreement with your organization).
  • Insecure Web Submission Forms—more often than not, your web submission form is multi-purpose. That may be fine if patients aren’t using them. Often, form submissions are insecurely emailed to specific contacts in your organization (like administrative assistants). Note: if your web site requests any electronic identifiable medical information, then it is required to comply to HIPAA standards. Make sure your website is updated with a secure processing solution to avoid data getting breached as it comes in.
  • Sharing Login information—while sharing logins to email and other accounts might be easier or cheaper up-front, HIPAA requires unique logins for EVERYONE in your organization. You also are required to audit when people do what when. If you share a login, you lose the ability to audit individuals.
  • No Risk Assessment— HIPAA requires that you regularly assess for security threats on your organization’s network. If you are a Dynamic Edge customer, we can run the security risk assessment and have HIPAA-trained technicians that ensure your compliance.
  • No Training—if your employees aren’t aware or trained on HIPAA standards, how sure are you that they are consistently compliant?

Why Can’t You Just Say “I Took Care of HIPAA Last Year”?

There are many cases—especially amongst small to medium companies that push for HIPAA compliance then forget about it. Assuming that everything is set, what you fail to recognize is that HIPAA mandates YEARLY reviews of your policies and risk. That means updating your and your employees’ training and your organization’s policies. Make sure to keep HIPAA compliance on your calendar and continue to mitigate risks throughout the year. Note: If you are a Dynamic Edge client, we can do all of this for you. Just talk to your Business Technology Manager.

But, Do I Have To?

We all understand that having your bases covered is what you want and need—especially when it comes to getting a data breach or being found in violation of HIPAA standards. Regularly assessing your networks and mitigating data breach risks are critical for your organization to stay successful within the healthcare field.

Understand that taking steps to improve your organization’s data security goes a long way towards turning any violation of “willful” negligence into much less expensive fines and penalties. Note: HIPAA does look for willful neglect when it prosecutes you or your organization for knowingly neglecting proper data management and security on protected health data.

Unsure that your organization is HIPAA compliant? Call Us TODAY for a free HIPAA security assessment.

Comments are closed.