Big HIPAA penalties and fines make great news headlines. Recently the managed care company WellPoint Inc. agreed to pay a $1.7 million fine to settle potential HIPAA violations.
False sense of security
Large fines make headlines and show that violating HIPAA regulations can be very expensive. Unfortunately it can have an opposite effect as well. Smaller organizations might see these large fines and that large organizations are being targeted and think that enforcement is not happening for smaller organizations. These smaller organizations might be lulled into a false sense of security.
History has shown that smaller organizations can and will be targeted for HIPAA violations.
The Office of Civil Rights (OCR) made it clear that all size organization were target of their 115 random audit program in 2012. Small providers fell into their level 4 definition
Level 4 Entities
- Small Providers(Provider Practices, Community or rural pharmacy)
- Little to no use of HIT – almost exclusively paper based workflows
- Revenues less than $50 million
Phoenix Cardiac Surgery
History has shown that smaller organizations can and will receive significant HIPAA fines for non-compliance. Phoenix Cardiac Surgery a small surgery center with 5 physicians was fined $100,000 by OCR for failing to protect patient information.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule brings changes that may impact smaller organizations. If a HIPAA complaint is filed against an organization (no matter what the size) OCR has to investigate the complaint if the facts indicate that a possible violation due to willful neglect of the HIPAA regulations.
HHS Description and Commentary From the January 2013 Amendments Compliance and Enforcement: Complaints to the Secretary (emphasis added)
Section 13410(a) of the HITECH Act adds a new subsection (c) to section 1176 of the Social Security Act, which requires the Department to formally investigate a complaint if a preliminary investigation of the facts of the complaint indicates a possible violation due to willful neglect (section 1176(c)(2)) and to impose a civil money penalty for a violation due to willful neglect (section 1176(c)(1)). The Department proposed a number of modifications to Subpart C of the Enforcement Rule to implement these provisions.
First, § 160.306(c) of the Enforcement Rule currently provides the Secretary with discretion to investigate HIPAA complaints through the use of the word “may.” As a practical matter, however, the Department currently conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicates a possible violation of the HIPAA Rules.
Nonetheless, to implement section 1176(c)(2), the Department proposed to add a new paragraph (1) to § 160.306(c) (and to make conforming changes to the remainder of § 160.306(c)) to make clear that the Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect. Under proposed § 160.306(c)(2), the Secretary would have continued discretion with respect to investigating any other complaints.
All size organizations need to comply with HIPAA regulations. Smaller organizations have been targeted for random audits and have been subject to HIPAA fines. It is not difficult to make a good faith effort to comply with HIPAA regulations. Here are some things that must be done:
- Perform a HIPAA Risk Assessment
- Implement HIPAA Security Policies and Procedures
- Provide HIPAA Security Training for all Employees
Take advantage of our Free HIPAA Security Training!
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!