Growing up, my favorite excuse to get out of trouble was “But Dad, I didn’t know.” It was second only to “But Mooooom, I didn’t think...” I am not quite sure why I liked these excuses. They NEVER worked. Ever. And they don’t work today when my kids try them with me. I hear my Mom’s voice come out of my mouth when I tell a child, “You not thinking is half the problem.” Well, guess what? These excuses don’t fly with the Department of Health and Human Services when it comes to HIPAA violations either. A defense of “we didn’t know” is no defense at all.
Thankfully, most medical and dental practices take great care to ensure that HIPAA Rules are followed and violations do not occur. But let’s face it: mistakes happen. Monitors get left unattended and suddenly patient information is visible to the waiting room. A USB containing patient information gets lost. An email gets sent to the wrong person. All accidents. And yet all HIPAA violations. So, what’s next?
What happens after HIPAA violations largely depends upon the severity of the violation. Civil penalties for HIPAA violations start at $100 per violation by anyone who violates HIPAA Rules. The fines can rise to the $25,000 to 1.73 million dollar range if there have been multiple violations of the same type or when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply. Therefore, it is imperative to have policies and procedures in place and that all employees are well trained. Employees need to know that should an incident occur, it should be reported and addressed immediately. Furthermore, healthcare organizations are not permitted to take retaliatory action against individuals who report a HIPAA violation in the workplace.
The possibility for fines and litigation are reduced if proper compliance was sought both before and after the discovered violation. For example, was the staff trained properly? Were there plans and policies in place prior to the violation? Was the violation reported to the proper people once discovered? Was the incident accidental, due to negligence, or something more nefarious? Simply put, was due diligence exercised?
This is where a compliance officer or 3rd party objective consultant like CentraVance can really save your practice! He or she will be better able to help your practice work through the required risk assessment, give sound advice on the nature of the incident, and instruct you on what steps to take in order to protect your practice’s reputation. This is particularly important if the incident is determined to require breach reporting and notification to the patient(s) and Health and Human Services.
All incidents are documentable, but not all will be reportable. You must complete a risk assessment to help determine the level of compromise.
There are a minimum of 4 factors to be considered when conducting a risk assessment:
The nature and extent of the Patient Health Information (PHI) involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the disclosure was made;
Whether the PHI was acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
If there is a higher probability of compromise based on the above four factors, notification is required. Entities must consider what was inappropriately disclosed, to whom it was disclosed, whether that person saw the data, and what methods of mitigation were available. Additionally, when these mistakes happen, be they through simple human error or something more calculated, HIPAA requires us to train and retrain when things go wrong to help us not make the same mistakes over and over.
There is probably no way for me to escape turning into my mother. It’s gonna happen. I’m three years away from yelling at kids to get off my lawn. But there is hope for your healthcare practice. Call the team at CentraVance Consulting to make sure you have the proper policies and procedures in place and your team is trained to avoid HIPAA violations. They can also help you mitigate any HIPAA violations that may have occurred and empower you to protect your brand, your patients, your employees, and your practice’s reputation.
Patient Records Held in Violation of HIPAA and EULA