Failing to Implement HIPAA Causes Large Fine

Failing to ImplementFailing to implement HIPAA causes a large fine for a small town North Carolina health services provider. They were fined $25,000 for multiple, easily avoidable, HIPAA violations for “longstanding, systemic noncompliance” with the HIPAA Security Rule. [Note: The provider is a part of a health center which offers discounted medical services to the underserved population in rural NC, and the fines were reduced in consideration of this, but it still resulted in a significant monetary loss].

In 2011, Metropolitan Community Health Services (Metro), doing business as Agape Health Services, filed a breach report regarding “the impermissible disclosure of protected health information to an unknown email account.” The breach affected over 1,200 patients!

In addition to the large monetary penalty, the practice is required to develop and adopt a corrective action plan (which includes two years of thorough monitoring) after the Office for Civil Rights (OCR) discovered that Metro failed to conduct a thorough and comprehensive HIPAA Security Risk Assessment and Analysis. In addition, Metro did not implement a single HIPAA Security Rule Policy and Procedure for the health center. Possibly worst of all, Metro failed to provide workforce members with HIPAA Privacy and Security Awareness training until 2016!

Patients must trust who they share their personal, private, and protected health information with. A breach such as this, is obviously devastating for the patient, in addition to their doctor’s reputation. So, how can physicians ensure that they are meeting the HIPAA requirements and have proper safeguards in place to avoid this sort of breach?

First off, an accurate and thorough Security Risk Assessment and Analysis must be conducted to expose and target any potential administrative, physical, and technical vulnerabilities. Doing so  highlights any major flaws in a practice’s administrative and technical safeguards, and accentuates the policies and procedures that the practice needs to implement.

In addition to that, the designated HIPAA Privacy and Security Officer must ensure that ALL employees complete HIPAA Workforce training. All employees of the practice, including the physicians, must take HIPAA training to ensure employees have a clear understanding of the HIPAA Privacy Rule and actionable policies and procedures.

So, remember, healthcare organizations and their vendors have a responsibility to be HIPAA compliant, and that starts by performing, updating, or reviewing an accurate and thorough Security Risk Assessment covering your technical, administrative, and physical safeguards. This will help uncover any vulnerabilities, and help you understand what information is being transmitted, shared, and how it is being transmitted.

 

TAKE AWAYS AND THINGS TO CONSIDER:

  • Complete a Security Risk Assessment and establish a Corrective Action Plan that is accurate and thorough.
 Remediate any potential risks or vulnerabilities.
  • A Security Risk Assessment will target vulnerabilities related to what is potentially exposing Protected Health Information (PHI)
  • Develop actionable policies and procedures that clearly outline disclosures of PHI
  • Ensure all employees have a clear understanding of the HIPAA Privacy rule and its policies and procedures

 

Live Compliance provides everything you need to become and maintain your organization’s HIPAA compliance requirements. All policies and procedures can be edited and shared directly with staff from your staff portal. Trainings are delivered and monitored within your portal, can be customized, role-based, and be accessed anytime and from anywhere. You can also easily send and monitor HIPAA training with one click.

Failing to implement HIPAA can cause tremendous problems and use precious resources and time to implement. Live Compliance makes it 10X easier than trying to do it on your own.

So, take advantage of Live Compliance’s FREE Organization Needs Assessment to understand your immediate compliance needs. For additional details, e-mail Jim Johnson (at jim@livecompliance.com), call (980) 999-1585, or visit their website at livecompliance.com/oa

Live Compliance is a partner of EZClaim, a medical billing software company. For more details about their solutions, visit their website at ezclaim.com.

[ Written by Jim Johnson, President of Live Compliance ]

ONE Patient Complaint

ONE patient complaint leads to $2.175 Million fine! AND 2 Years of OCR Monitoring.

Contributed by Jim Johnson, President of Live Compliance

One patient complaint, that’s all it takes. Have you ever read such headlines and doubted whether a small billing company or independent physician practice would ever face such seemingly insurmountable penalties? Actually, there should be no doubt! The Sentara Hospital violations are violations that every small billing company or independent physician practice would face, not just because Sentara is a hospital.

So what happened? In short, a complaint from an individual came from a person receiving a bill containing another individual’s billing statement. As a result of Sentara investigating this breach, Sentara reported a breach affecting 8 individuals, when in actuality, Sentara mailed 577 patient’s statements to the wrong addresses. This is an example of why you must perform and document a breach risk analysis as soon as you become aware of a potential incident. It is important that you understand what a breach is and the breach notification requirements.

The second issue discovered during the investigation revealed Sentara failed to have a business associate agreement in place with an entity that performed business associate services for Sentara. This reinforces the importance of having business associate agreements in place and your understanding that BAA’s are contracts that outline timeframes and provide your attestation to a satisfactory assurance of your ability to safeguard PHI among other things.

Maybe most importantly, you should know every complaint must be investigated by HHS/OCR. What that means is, if you improperly disclose protected health information, like sending a statement to the wrong patient, you, a billing company, must inform the covered entity (your client) and have a breach risk assessment completed to determine several key factors. Then the covered entity must take action based on these findings. If you haven’t completed an accurate and thorough security risk assessment prior to that, you could also be penalized under ‘willful neglect’. This category alone is $50,000 per violation! 

In fact, Texas Health received a $1.6 million fine for improperly disclosing ePHI. Texas Health failed to comply with several HIPAA requirements including failure to perform the HIPAA Security Risk Assessment.

The fines are huge, but the reputational damage to your billing company and the covered entity is expensive and difficult to overcome.

What we do is keep this from ever being a worry for you! In fact, we have a 100% audit pass rate since 2010! For example, Live Compliance has easy to understand HIPAA breach notification training. We perform your security risk assessment and manage all your requirements, including business associates, in a clean, organized cloud-based portal.

Don’t risk your company’s future, especially when we are offering a FREE Organization Assessment to help determine your company’s status. 

It’s easy, call us at (980) 999-1585, email me jim@LiveCompliance.com or visit LiveCompliance.com

Keep in mind, a business associate is a ‘person’ or ‘entity’. This means there is no billing company too small or too large to comply with the Federal HIPAA regulations.

LEARN MORE

Click here to read more informative articles from EZClaim and our partners.