In today’s world the healthcare information management security bare minimum is just NOT good enough. That strategy deems that it’s only a matter of time until an organization with ePHI responsibility has a major system disruption or a ePHI security breach. Or both.
If your business creates, receives, stores, transmits or otherwise possesses patient data you are bound by HIPAA laws.
Covered entity AND business associates are directly financially liable (or worse) for violations of the HIPAA regulations.
Clinical Service provider note:
If you have attested for Meaningful Use incentive money, then you also have pledged to state &/or federal government agencies that you have taken the necessary steps to examine & protect your patient data. Therefore your non compliance management failure, if audited could cost your organization significant amounts of money.
The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”. Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and could result in criminal charges.
HIPAA violation categories and their respective penalty amounts are outlined in the chart below. These amounts are per violation of an identical provision in a calendar year:
|Type of Violation||Penalty per record||Maximum fine per incident|
|Did not know you had a problem, could have fixed it||$100 – $50,000||$1,500,000|
You should have known you had a problem but could not have avoided the violation
|$1,000 – $50,000||$1,500,000|
Willful Neglect – You knew you had a problem and chose not to correct it
|$10,000 – $50,000||$1,500,000|
Willful Neglect – Problem Ignored and no action taken to correct the problem.
Source: HHS, Federal Register.gov
It is essential that organizations that handle patient information conduct a Privacy & Security Risk Assessment and Vulnerability audit. The penalties are too big if you are not prepared.
Can you answer these questions about your health care operation?
- Is your healthcare data management plan continuously updated?
- Do you know what your data security risks are?
- Is all of your ePHI encrypted?
- Have you conducted a risk analysis since upgrading your EMR?
- Are your Business Associates providing ample protection of your data?
If the answer to any of the above questions is “No”, then you are running a VERY high risk of non compliance that has huge financial ramifications.
How can we help you?
Our Audit services will help you understand of your organization’s ePHI management strengths and weakness. You can afford compliance. You can not afford non-compliance.
We start with a simple questionnaire to determine your organizational compliance program maturity that creates our scope of work, which becomes our project plan & starting point. From there we create a custom ongoing strategic compliance documentation, operations and management program plan for your organization.