written by Matt Drachenburg, HIPAArisk.com (formerly Excellence in Healthcare and currently an ASDA Endorsed Partner.) For full service HIPAA risk management, please go to www.HIPAArisk.com
Are You Prepared for September 23?
The Office of Civil Rights (OCR) will begin enforcement of the HIPAA Security Omnibus Rule on September 23, 2013. The HIPAA Security Rule focuses on protecting patient information that is stored in an electronic format.
If you are unaware of the requirements to be in compliance with the HIPAA Security Omnibus Rule, you are not alone. Unfortunately, being unaware is not a reasonable excuse, and OCR will fine you if you are not in compliance.
Fines for breaches have increased dramatically and could be as much as $50,000 per violation (that’s per patient record), with an annual cap of $1.5 Million. Even small breaches could cost you upwards of $50,000, and that does not include the cost of damage to a practice’s reputation, or being required to purchase identity theft protection for the affected patients. In a recent settlement, Hospice of North Idaho was fined for the loss of less than 500 patient records after an unencrypted laptop was stolen from their offices.
There is money to be made by finding HIPAA Violations.
Department of Health and Human Services, Office for Civil Rights is training State Attorneys General to identify HIPAA violations and enforce the HIPAA Omnibus Rule. In these sessions, States are trained to read newspapers for release of celebrity health information and to review law enforcement reports for break-ins at medical offices and reports of stolen computer equipment. States can impose additional fines on top of the federal fines.
Luckily, there is still time to get into compliance.
GETTING INTO COMPLIANCE
STEP ONE: HIPAA SECURITY RISK ANALYSIS
The most important first step is to conduct a comprehensive HIPAA Security risk analysis. This risk analysis addresses each section of the security rule as it applies to your practice and identifies corrective actions or mitigations that need to be implemented.
According to Leon Rodriguez, the Director of OCR, not having a HIPAA Security risk analysis is considered one of the red flags that auditors will look for during any HIPAA violation investigation. Even if you can’t become fully compliant by the deadline, a risk analysis and corrective action plan documents that you are take the necessary steps towards compliance.
STEP TWO: VET YOUR VENDORS
One of the big changes to the rule is your relationship with Business Associates (IT Vendors, third party billing companies, etc). In the past, a practice was fined for any breach, regardless as to who was at fault. With the new rule, however, if you properly vet your business associates for their competence and understanding of the security rule’s requirements and document that the Business Associate was aware of proper security requirements, then the Business Associate can be fined for a breach affecting your practice, not you.
For example, can you document that your IT provider understands encryption and key management? Does your third-party transcriptionist have documentation that all employees have been trained on HIPAA security? A well-written Business Associates Agreement outlining these security requirements can be vital to protecting your practice in the event of a breach.
GET INFORMED ABOUT HIPAA SECURITY
ASDA and its endorsed partner, HIPAA Risk Management will be conducting an educational session at the Fall Seminar on September 21. This seminar will cover both current and new HIPAA regulations as they apply to our members. If you are unable to attend, HRM will also be offering two free webinars in October (10/2 and 10/16), exclusively for ASDA members. More information on the webinars can be found at http://hipaarisk.com.