HIPAA compliance doesn’t care if you’re a small business or a non-profit. This isn’t said in a disrespectful manner to the laws that govern the policies, but to make you aware that your business status, or identifying structure won’t allow you to be overlooked.
Hefty Fine Imposed
Recently the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services imposed a $2,154,000 penalty against Jackson Health System (JHS) for HIPAA violations.
This nonprofit academic medical system operates 6 major hospitals, a network of urgent, primary, and specialty care centers, long-term nursing facilities, and corrections health services clinics. Those facilities provide care for 650,000 patients on an annual basis and employ over 12,000 people.
JHS submitted the breach report in August of 2013. In it, they stated that in January of that same year, they had lost paper records which contained the private health information (PHI) of over 700 patients. An additional loss of patient records from December 2012 was not reported until June of 2016. Additionally, an investigation was launched in July of 2015 when two employees accessed a patient’s electronic medical record inappropriately, and that patient’s photo was shared by a reporter. The image contained the patient’s medical information on an operating screen and was shared on social media.
A Compliance Program in Disarray
Add to all of this, that in February of 2016 JHS reported that one employee had been selling PHI. JHS reported that this employee had accessed over 24,000 patient records since 2011.
12,000 employees mean a lot of monitoring for any company, so a strong HIPAA compliance program isn’t just a necessity, it’s a critical part of this business keeping its doors open. The OCR investigation found that their HIPAA compliance program had been “in disarray for a number of years” and that the “hospital’s system compliance failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
A strong HIPAA compliance program needs to be a part of your business from start to finish. Are you prepared to be accountable for the actions of your employees?