HIPAA Lowers Fines but Sets Enforcement Record
Although it may seem that you do not have to worry about penalties for HIPAA violations and breaches, there are very real challenges and consequences for not taking the appropriate precautions. If you think that you have no security issues and no privacy problems, then odds are that you should have concerns. In short, you must know that your office has taken all appropriate precautions.
- Have you trained all of your staff within the appropriate timeframe (reasonable time after hire and periodically)?
- Have you performed a risk analysis of your office?
- Have you taken appropriate precautions to repair security and privacy problems?
- Do you have a specific, written plan for HIPAA breaches, such as ransomware and stolen equipment?
- Are your computers appropriately encrypted?
- Do you have the necessary passwords?
- If you have made any changes in your office that would impact privacy and/or security, have you trained all employees impacted with those changes?
- Do you have cyber-liability insurance to help with the exorbitant costs related to all-too-often HIPAA breaches?
These are just a few of the many questions that you should be asking to make sure that your practice is complying with current HIPAA law.
2018 marked a record year for HHS in enforcement – $28.7 million in fines and penalties. These ranged from $100,000 (assessed to FileFax for leaving a truck unlocked in the parking lot) to $16 million (assessed to Anthem for a massive breach after they suffered a cyber-attack by spear-phishing emails). Additionally, MD Anderson in Texas was fined for the “theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives.”
I have personally spoken with two different chiropractic physicians here in Illinois who have been hit with ransomware that locked down their servers and medical records, demanding a ransom (as much as $10,000) be paid. Security and privacy breaches are not foreign to chiropractic physician offices. They are very real.
However, recently HHS lowered the potential HIPAA violation penalties in most circumstances:
This table from HHS demonstrates (“No Knowledge”) that even if you claim that you did not know, HHS can still penalize you as much as $50,000, and the fines are staggering for not taking action when you should. HIPAA security and privacy should NOT be ignored or put on the back burner.
To make some of this much easier, the ICS has a number of courses available on-demand FREE to ICS members. Please visit www.illinoiscme.com and find them today.