HIPAA has been around since it was first proposed in 1999 but most of the requirements have not been followed. In fact, up until 2011 there was very little enforcement and no fines were even given.
Why, you might ask? …
The Health Insurance Portability and Accountability Act was introduced with no enforcement rules. It was on the honors system to implement it.
That all changed in 2008 when the Office of Inspector General (U.S. Department of Health & Human Services) put out a report finding that CMS (Centers for Medicare & Medicaid Services) was not enforcing HIPAA. This meant that many medical practices were not complying with the rules. This places patients at significant risk to exposure of their personal health information due to poor security. OCR (Office for Civil Rights) is now responsible for HIPAA enforcement. This gave individual State Attorney Generals and others the right to enforce HIPAA civil penalties.
Even with the right to enforce HIPAA there still was no way to pay for it. That changed with the HITECH Act. The HITECH Act paid to hire the staff required needed. This included former prosecutor, Jocelyn Samuels, to be the Director of OCR.
OCR 2016 funding was $39 million with a 2017 budget increased to $43 million. All fines and penalties given by the department will be kept by the department which means that the economic model for HIPAA enforcement is sustainable.
HIPAA fines are Huge!
2016 was a banner year for HIPAA Fines. The number of penalties handed out was over 3 times the amount from the previous year. In 2015 the total HIPAA penalties levied was $6.1 Million and in 2016 that amount skyrocketed to 21 Million and counting.
Like many practices your first concern is the good heath of your patients. All the work you do generates extremely valuable data stored on computer systems. This data is in high demand by hackers and regularly sold on the dark web. As a result, this puts your patients at risk unless you take steps to secure your practice and computer systems.
We have seen many good honest practices just not have the required expertise nor the time required to make their computer systems safe, secure and HIPAA compliant. This ultimately places their patients at increased risk of identity theft, Medicare and insurance fraud. Unscrupulous hackers can use Personal Health Information to steal patient identities and make fraudulent claims against their insurance programs, open accounts in their names and make your patients’ lives miserable. If you want to protect your patient’s personal information and your practice from large penalties and fines, then it’s time to start looking very hard into your HIPAA compliance.
Not sure where to start?
The very first thing is to get an overview of HIPAA requirements and how it applies to you. I have put together the 20 Minute HIPAA Quick Start Guide to help you. Take the next 20 minutes and answer the questions the best you can. “I don’t know” is a good answer, “No” is a good answer and “Yes” is a good answer. Don’t forget we are trying to figure out what we don’t know so we can avoid penalties and security breaches. The more you find out now, the better.
If you find your answers are “no” or “I don’t know” or not sure what the questions mean, chances are you need some help. Contact my office to discuss how we can help get your practice HIPAA Compliant @ (810) 695-4258 or firstname.lastname@example.org