If you have been to the dentist or doctor’s office in the past few years, you are probably familiar with the privacy act that protects your personal and sensitive medical data. In fact, you have probably signed the HIPAA statement when you first sign in to the office as required by all practices. The HIPAA or Health Insurance Portability and Accountability Act was passed by Congress in 1996 and provides industry-wide standards for health care information on electronic billing and other processes, and requires the protection and confidential handling of protected health information. Beyond signing the HIPAA release, have you ever given any thought as to what happens if there is a HIPAA violation or breach of the rules? As a practitioner, employee, or owner of a medical or dental practice, it is important to understand what those consequences could be. Let’s take a closer look at who is ultimately responsible for ensuring that HIPAA is followed and what types of penalty could be levied if a covered entity or business associate is found to be non-compliant with the regulations.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is the enforcement agency for HIPAA. Complaints and violations are filed with the OCR, and they are responsible for administering, investigating, and enforcing the HIPAA privacy standards. The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
If a HIPAA breach or an impermissible use or disclosure has occurred, there are procedures to follow including:
- Reporting to the Secretary of Breaches at the HHS and OCR, to the individual, and to the media about the the nature and extent of the protected health information involved.
- Reporting on the unauthorized access or viewing and to whom.
- Reporting the extent to which the risk to the protected health information has been mitigated.
Penalties for HIPAA violations:
Penalties range according the extent of the violation, whether the violation was caused by willful neglect, and the speed and effectiveness of the correction of the violation. Here is a quick recap of the violation tiers.
In addition to monetary penalties are criminal penalties that include potential jail time such as:
- Unknowingly or with reasonable cause Up to one year incarceration
- Under false pretenses Up to five years incarceration
- For personal gain or malicious reasons Up to ten years incarceration
Breaches and violations are commonly covered in the local and national news. Recently, the University of Texas MD Anderson Cancer Center was required to pay $4.3 million in penalties for HIPAA violations. The OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011. Don’t let this lapse in protocol cause your practice its livelihood.
Is your practice following the correct guidelines for protected patient information under the HIPAA federal law? Call Spectra Networks for an evaluation and risk assessment today at 978.219.9752, or visit our website.