Don't make the mistake of assuming that HIPAA fines only target large healthcare companies. And don't assume that the Department of Health and Human Services won't issue large fines to a small company.
American Medical News reports that a five-doctor practice in Phoenix was fined $100,000 for a HIPAA violation. What did the healthcare practice do to violate HIPAA privacy laws? The practice…
- Posted a publicly available online calendar that showed the dates of surgeries for its clients.
- Failed to document HIPAA training procedures.
- Didn't obtain business associate agreements from email and Internet vendors (see "The HIPAA Data Security Lesson Small Businesses Need to Learn" to learn about BA agreements).
- Failed to perform a risk analysis.
- Failed to identify an employee to lead risk analyses and oversee HIPAA compliance.
Translation: the small practice made little effort to protect patient data and didn't implement the infrastructure that makes day-to-day security possible.
When it Rains, it Pours: One HIPAA Violation Leads to More
How does HHS find out if you've violated HIPAA privacy laws? While security audits are possible, often what happens is that the government agency receives a complaint from a patient and launches a full-scale investigation of your practice.
Once HHS is investigating a practice, you can be sure it will find some evidence of violations. The initial complaint for the small Phoenix practice only had to do with its online calendar. The other four violations were found during the HHS investigation.
This means that a small violation can lead to large fines if HHS investigates your practice and finds that your record keeping isn't up to par and you've slacked on your employee training. Let's take a look at some of the ways you can avoid a HIPAA violation.
How to Avoid a HIPAA Violation
HIPAA requirements are complex. Compliance is a challenge for many small healthcare providers because you don't have the IT and data security budgets that a larger provider has.
There's no way we could outline all your HIPAA and HITECH requirements in this article. Furthermore, these requirements are always changing as improvements to network and computer security mean that you'll have to update your technology to stay compliant.
We can boil down your obligations to the following key duties:
- Ensure that your data is encrypted, stored, and transferred using best practices to prevent data breaches.
- Get outside contractors and business associates who have access to your patients' protected health data to sign a BA agreement that outlines their HIPAA responsibilities (HHS posts sample BA agreement provisions here.)
- Perform regular security audits (at least annually) to identify security weaknesses and fix them.
- Adopt policies and procedures to ensure that patient information is entered correctly into your computers.
- Make sure patients have quick access to their data if they request it.
- Train your employees in these practices and document all training.
The good news for small healthcare providers is that the Department of Health and Human Services won't always fine you if there's a report of a violation. If your business has taken all the necessary steps to prevent violations and documented them, HHS may be lenient. Rather than a fine, some small healthcare providers will have to follow a "corrective plan" to fix all their HIPAA violations and get their data security up to code.
Is There Insurance for HIPAA Violations?
While a healthcare practice's Cyber Liability Insurance (also called Data Breach Insurance) sometimes covers HIPAA violations, not all policies include this coverage. To find out if your insurance has HIPAA fine coverage, you'll have to read your policy or talk with an insurance agent.
For more information on cyber insurance for healthcare companies, see "Cyber Insurance and HIPAA Fines: Making Sure You're Covered."