To Be Or Not To Be: HIPAA Compliance and You!
By: Melissa Moore Sanchez, Manager, Sales & Marketing, NORDIC
Last summer Jocelyn Samuels assumed the role of Director of the Health and Human Services, Office for Civil Rights when Leon Rodriquez resigned from the position. Samuels wasted no time putting her stamp on the office’s already tough stance to enforce HIPAA compliance, stating, “We continue to see a lack of comprehensive and enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems. That is why enforcement is a critical part of our arsenal of tools to ensure compliance.” Samuels went on to say, “Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”
So, how seriously are you taking your HIPAA compliance obligations? Cyber attacks continue to increase, particularly in the medical and dental industries. They rose more than 40 percent in 2013, significantly higher than the business sector. The words “cyber risk” immediately conjure images of a practice’s computer system getting hacked, and this can often be the case. But cyber risk also includes an employee mistake wherein patient data is unintentionally shared with an unauthorized party. It can mean the theft or loss of a mobile device (laptop, smart phone, memory stick) that contains patient Protected Health Information (PHI). It can be improperly destroying (or not destroying) patient records, including information stored on equipment with memories, such as photocopiers.
Cyber risk can also mean malicious intent from an employee who tries to sell or fraudulently use patient information. Don Jackson, Director of Threat Intelligence at PhishLabs, a cybercrime protection company, says stolen health information can sell for $10 each on the black market, which is about 10 or 20 times the value of a U.S. credit card number. (This data was obtained by monitoring underground exchanges where such information was being sold by hackers.)
To add insult to injury, HIPAA requires that you self-report breaches involving fewer than 500 people on an annual basis to the Office for Civil Rights (OCR). Breaches of 500 or more must be reported to the OCR within 60 days of the event.
Penalties can range from $100 to $50,000 per violation, capped at $1.5 million. Expect that the OCR will want copies of your policies and procedures, including but not limited to: your Notice of Privacy Practices; your policies and procedures for protecting PHI; employee training; copies of your complete risk analysis before and after a breach; a detailed description of the breach; disciplinary measures (if it involved an employee); and remedial measures taken following the breach.
You should be conducting staff compliance training at least annually, and documenting when the training took place, what was discussed, and who attended. Any changes to the policy, whether implemented by you or the government, or new staff hiring, requires additional training.
HIPAA breaches are time consuming and expensive. Costs associated with a breach, not including fines, can easily balloon into six figures. The Experian Data Breach Industry Forecast for 2015 predicts the healthcare industry will be “plagued” with data breaches, and states that “the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually.”
Some of the expenses include: letters (printing) and postage for patient notification; establishing a Call Center to handle patient’s phone inquiries; ID theft or credit monitoring services; forensics investigations; and legal costs including defense and judgements.
To be HIPAA compliant, you are required to assess your practice’s vulnerabilities concerning the safekeeping of PHI. You must identify where PHI is received, maintained, stored or transmitted; identify and assess the risks for each of those areas; rank and prioritize the risks; and then create and implement policies and procedures to safeguard the PHI. Document each step. Create policies and procedures for responding to a breach and document. Regularly review, and when necessary, update your policies and procedures, and document. Make sure computers are encrypted and security patches are current. Every step should be thoroughly documented for referencing, or in the event you need to produce information for the OCR. Did I say document?!
To be HIPAA compliant is, without a doubt, a time-consuming undertaking. However, not being compliant could eventually create larger headaches and expenses further down the road.
NORDIC is pleased to offer a complimentary HIPAA Compliance Packet complete with HIPAA forms and step-by-step tools to complete a practice assessment for all of our insureds. We also offer cyber insurance designed specifically for dentists, and you don’t have to have your malpractice policy with NORDIC to be eligible. It’s all part of the gold standard of service we offer to all of our clients. For more information, please contact us at (800) 662-4075.