28 Oct Consistent HIPAA Compliance Requires Ongoing Assessments
The need for HIPAA compliance will never wane. As more Wi-Fi-connected medical devices and apps enter the market and patient data becomes universally digitized, the need for data privacy measures will continue to expand. Since medical organizations are ultimately accountable for that privacy, MSPs should help their clients understand that the repercussions for violating the health privacy mandates of HIPAA will grow as well.
Yet, organizations continue to skirt HIPAA requirements at the risk of hefty fines and patient privacy breaches. Over 245,000 complaints have been filed since the Security Rule of HIPAA was established in 2003. As of September 2020, 3,823 remain open.1
Let’s take a look at some recent examples of HIPAA complaints and their high-priced settlements.
HIPAA Complaints and Settlements
Risk Analysis Failure
The Office for Civil Rights (OCR) hit Fresenius Medical Care North America (FMCNA) with a $3.5 million settlement when the health organization failed to perform HIPPA risk assessments of its ePHI systems in five dialysis centers.2
Although HIPAA requires organizations to perform accurate and thorough risk analysis since the health act was finalized in 2005, many covered entities and business associates overlook this mandate. According to The HIPAA Journal, “HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.”
Incorrect Breach Reports
Sentara Hospital’s inaccurate breach report cost them a $2.175 million settlement. When the hospital accidentally sent bills to the wrong patients, it initially reported that only eight people were affected. However, the actual number was 577, with a single patient filing this complaint.2
Report accuracy is of utmost importance for patient safety and privacy as well as for compliance.
The loss of unencrypted laptops containing ePHI files led to a $65,000 resolution for an ambulance company.2
Lost or stolen electronic devices rank as one of the most common reasons for large-scale ePHI violations.
Bayfront Health St. Petersburg reached an $85,000 resolution with the ORC after it denied a mother records about her unborn child. Korunda Medical also incurred an $85,000 penalty when they refused to deliver medical records in the electronic format requested by the patient, even after several requests.2
Under HIPAA, organizations must release health records immediately upon a patient’s request. With enough covered entities having failed to comply, the OCR has launched a targeted initiative to compel organizations to comply promptly with reasonable costs.
Email and Social Media
After a dental practice in Dallas, TX published a patient’s name and health information when they responded to the patient’s social media review, the OCR settled with a $10,000 resolution.2
Organizations must acquire explicit permission to release or publish a patient’s information. Although HIPAA doesn’t require covered entities to obtain written permission to transmit ePHIs via email, many compliance professionals do recommend it.
Compliance Assessments for Violation Protection
This small sampling of HIPAA violations presents a sound argument for covered entities and business associates to pursue dedicated and consistent compliance practices. HIPAA compliance is never a “one-and-done” proposition. It requires an evolving, long-term commitment on the part of any company that possesses electronic patient data. Ongoing compliance assessments are among the best methods a covered entity can use to achieve reliable and continuous compliance.
MSP clients will continue to be vulnerable if they are not aware when they are at risk and a surprise audit could reveal compliance offenses that may result in fines and threaten patient privacy.
Regular compliance assessments provide insights that can detect violation risks and enhance client security. Assessments can also help prove that the client has taken appropriate steps to maintain compliance, which will be crucial in reducing penalties in the event of a breach.
MSPs, if you’d like to learn more about how about products such as Compliance Manager can help you meet your clients’ HIPAA compliance demands, visit RapidFire Tools for more information.
- Numbers at a Glance, US Department of Health & Human Services, 2020
- HIPAA Compliance Settlements – 6 to Learn From for 2020, The Fox Group 2020