The threat of a HIPAA investigation is only one of the exposures that EHR vendors face when it comes to the implementation of privacy and security standards. One of the most recent examples came in June of 2016 when EHR vendor Practice Fusion Inc. was fined for deceptive privacy practices revealed over the course of an FTC investigation.
The trend toward civil monetary penalties and other government fines is growing throughout the medical space, and EHR vendors need to look into solutions that will protect their practice.
When it comes to HIPAA compliance, EHR vendors are considered business associates (BAs). Business associates are defined by HIPAA regulation as any organization that handles protected health information (PHI) such as medical records, patients’ demographic data, etc., over the course of the work they’ve been hired to perform by a healthcare provider.
Because EHR vendors store PHI in bulk, they are particularly vulnerable to privacy and security violations under HIPAA regulation. EHR platforms that chose not to deploy a HIPAA compliance program that addresses the full extent of the federal regulation, put their clients’ data at risk of a breach. And, in the event that a breach is reported to OCR, the risk of HIPAA settlements reaching well into the millions of dollars becomes a frightening reality.
The OCR fine schedule for breaches of unsecured PHI ranges from $100-$50,000 per incident based on the level of perceived negligence in the organization’s HIPAA compliance program. Without HIPAA privacy and security standards in place, EHR platforms risk irreparable damage to their clients’ data and their organization’s reputation.
OCR has been conducting full scale investigations into unconventional targets across the medical industry. In 2016, OCR fined almost $24 million, making it the most expensive year for HIPAA fines to date.
Additionally, two landmark fines have signaled major changes in HIPAA and EHR implementation. In July of 2016, the first ever settlement was reached with a HIPAA business associate for various security failures. And as recently as January of 2017, OCR reached the first settlement in regards to HIPAA breach notification requirements.
OCR has established the precedent for stricter, more wide reaching HIPAA and EHR implementation, and the trend is set to continue into the years ahead. How confident are you in your HIPAA compliance?