Penalties for Non Compliance HIPAA
Covered entities, business associates, and managed service providers with healthcare clients are required to comply with HIPAA. When they do not comply with HIPAA, there are penalties for non compliance. Penalties range based on perceived neglect. Penalties for non-compliance with HIPAA are discussed below.
Why Recent Penalties for Non Compliance HIPAA Were Issued
There are several reasons in which a HIPAA beholden entity may be penalized for failing to comply with HIPAA.
Organizations were fined for failure to:
◈ Implement HIPAA Security Rule policies and procedures.
◈ Implement security measures sufficient to reduce risks and vulnerabilities.
◈ Conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
◈ Manage identified risks to a reasonable and appropriate level.
◈ Have a risk management plan.
◈ Perform periodic technical and non-technical evaluations in response to environmental or operational changes.
◈ Encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so.
◈ Implement access and audit controls on its information systems and applications.
◈ Utilize device and media controls.
◈ Regularly review information system activity records.
◈ Restrict authorization of its workforce members’ access to ePHI to the minimum necessary to accomplish their job duties.
◈ Obtain a written business associate agreement with a contractor that maintained ePHI.
◈ Have a HIPAA compliant Notice of Privacy Practice.
◈ Provide timely and accurate breach notification.
◈ Thoroughly investigate breach.
◈ Comply with the HIPAA Right of Access.
◈ Have policies and procedures for HIPAA compliant social media use.
◈ Provide a security awareness and training program.
Cost of Recent Penalties for Non Compliance HIPAA
Recent fines for penalties for non compliance HIPAA are as follows:
◈ Cottage Health: $3 million fine
◈ Touchstone Medical Imaging: $3 million fine
◈ University of Rochester Medical Center: $3 million fine
◈ Sentara Hospitals: $2.175 million fine
◈ Jackson Health System: $2.154 million fine
◈ Texas Health and Human Services Commission: $1.6 million fine
◈ Medical Informatics Engineering, Inc.: $100,000 fine
◈ Bayfront Health St. Petersburg: $85,000 fine
◈ Korunda Medical, LLC.: $85,000 fine
◈ West Georgia Ambulance, Inc.: $65,000 fine
◈ Elite Dental Associates: $10,000 fine
Preventing Penalties for Non Compliance HIPAA
To prevent penalties due to non compliance for HIPAA, organizations can learn from previous issued fines. Being aware of why organizations were fined, allows organizations to develop a HIPAA compliance program that addresses all HIPAA requirements.
To prevent penalties for non compliance HIPAA, organizations should do the following:
◈ Conduct a security risk analysis: required to be completed annually, a security risk analysis identifies gaps in security measures safeguarding protected health information (PHI).
◈ Implement security measures to reduce risks: HIPAA requires the confidentiality, integrity, and availability of PHI to be maintained through security measures such as firewalls and data backup.
◈ Evaluate operational changes: when there are changes to the way an organization operates, security measures must be adjusted to account for those changes.
◈ Adhere to the Breach Notification Rule: a breach affecting 500 or more patients must be reported to the Department of Health and Human Services (HHS), affected patients, and the media within 60 days of discovery. A breach affecting less than 500 patients must be reported to HHS and affected patients by the end of the calendar year.
◈ Adhere to the HIPAA Right of Access rule: requested patient records must be provided within 30 days of the request in the format that it is requested in (i.e. email, mail, fax, etc.). Providers cannot charge excessively for access to records.
◈ Adhere to the minimum necessary standard: providers and healthcare employees may only access the minimum necessary PHI to perform their job function.
◈ Implement access and audit controls: to ensure that the minimum necessary standard is upheld, access and audit controls must be implemented. Access controls designate different levels of access to PHI based on job role. Audit controls monitor who accesses what PHI, and for how long, to ensure that PHI is not accessed excessively.
◈ Provide a Notice of Privacy Practices: must be given to patients upon intake. A Notice of Privacy Practices dictates how PHI may be used and disclosed as well as explaining patient’s rights in regards to their PHI.
◈ Implement policies and procedures: dictates the proper use and disclosure of PHI as well as what to do in the event of a breach or other security incident.
◈ Train employees: ensures that employees are aware of policies and procedures.
◈ Sign business associate agreements: must be signed before it is permitted to share PHI with a business associate. A business associate agreement (BAA) dictates the security measures that must be in place as well as which party is responsible for reporting a breach should one occur.
◈ Encrypt devices when it is reasonable and appropriate: encryption, or similar security measures, must be implemented to secure PHI on portable devices such as laptops or thumb drives.
