We have written about the $100,000 HIPAA fine that was handed down to Phoenix Cardiac Surgery. There is a very good article at AISHealth that details the case and provides some good insight by industry professionals.
One quote by well respected HIPAA attorney Jeff Drummond really sheds light on what happens when you ignore compliance regulations:
“I think the $100K is fair, based on what I know,” says Jeff Drummond, a HIPAA expert and partner at Jackson Walker LLP, based in Dallas. The doctors “didn’t do anything. They didn’t take HIPAA seriously, ever. And when they screwed up and put stuff out there where it could be accessed by anyone with an Internet connection, their sins of omission came back to haunt them.”
Even an old notebook with some little-used policies would have helped, he says. “If they had a decent HIPAA compliance program, had a dusty three-ring binder somewhere they could point to, then maybe this screw-up would have merited a slap on the wrist, a $5,000 fine, and a promise to adopt better policies, train their staff, and never, never, never do that again. Mistakes happen, even to the most careful person or group. When they happen to a careless group, the punishment should be greater,” Drummond argues.
John Christiansen, chair of the HITECH Taskforce for the American Bar Association also provides his insight
“My best guess is that the folks in charge of the practice were aware of HIPAA but assumed either that OCR would never find out, or that if OCR did any penalty would be nominal,” Christiansen says. “It’s an unfortunate truth that HIPAA compliance does take resources and adds administrative burdens, which means that any dollar spent on compliance is a dollar that can’t go to patient care, new facilities or equipment, or salaries or profits. It’s also an unfortunate truth that the return on investment for any compliance activity is invisible — if compliance is working well things don’t go wrong and there’s no penalty exposure. Given these factors it can become all too easy to put HIPAA compliance at the bottom of the practice’s ‘to do’ list, and never get around to it.”
Christiansen added a final thought about another aspect of compliance that felled the practice. “I think an important issue in this case was the finding of violations for not having a proper business associate contract in place. This, frankly, was a non-burdensome no-brainer somebody should have caught easily, which makes it especially suitable for penalties,” he says. “But I think this is a cautionary note for the many practices adopting electronic health records and other information technology, to make sure their documentation is correct. I would also take this as a cautionary note to their vendors, since they are about to become directly regulated by the HITECH ‘mega-rule.’ I think OCR wants to send a message that everybody in the health information ecology had better know and manage their compliance obligations, or there will be consequences.”
The days of ignoring HIPAA are over. For an minimal investment covered entities (hospitals and medical practices) can avoid fines and negative publicity that directly hit their bottom-line.