If you’re a healthcare employee, you already know alot about the HIPAA Rules. You’ve probably received training on how to protect Health information, and have heard about all the fines being levied against everything from small hospices to the largest hospitals (like Massachusetts General Hospital).
Because HIPAA is a federal law, there are expensive penalties involved in HIPAA mistakes (breaches). Fines have ranged from millions of dollars to $50,000. Here are just a few of the recent fines.
Shasta Regional Medical Center – $ 275,000, June 2013
Hospice of Northern Idaho $ 50,000, January, 2013
BCBS Tennesee – $ 1,500,000 March 2013
State of Alaska – $ 1,700,000, June 2012
Phoenix Cardiac Surgery – $ 100,000 April 2012
Mass General Hospital – $ 1,000,000 February 2011
There have been dozens of other fines, many in the millions of dollars, and, with the passage of the new HIPAA Omnibus Rule, which takes effect on September 24, 2013, there will be many more.
If you are a healthcare organization, you need to address the risk of a potential HIPAA Fine. And the fines not the worst part, because the “resolution agreement” you sign, forces your organization to file all sorts of quarterly reports, meet with regulators for years to come, and those ongoing activites are even more expensive than the fine!
The Office of Civil Rights (part of the U.S. Dept. of Health and Human Services), is self-funded from these fines, and they use the money from the fines to start even MORE enforcement activities.
The basics you need to have in place to reduce the risk of a HIPAA fine include 1) having a Risk Analysis done in the past 12 months, 2) having HIPAA Training conducted annually for EVERY employee, 3) Updating all your Business Associate agreements, 4) developing a robust security awareness program, just to name a few.
HIPAA compliance-related fines are a risk that should be considered by every healthcare organization, no matter how big or how small, because your bottom line, AND your reputation may depend on it!