“Ignorance is Bliss” is a phrase commonly used to justify a lack of action when it is more comfortable to ignore something that should be attended to. Surprisingly, ignorance defenses have been used successfully to avoid filing tax returns (Cheek v. United States 1991) and to escape prosecution for identity theft (Flores-Figueroa v. United States 2009); however, there is no defense for ignorance when it comes to protecting the private health information of patients.
Thousands of articles have been written about the revisions to the Health Insurance Portability and Accountability Act (HIPAA) that were enacted last year, and this was not the first time that the security of protected health information (PHI) came under the spotlight – the first HIPAA Privacy Rule was introduced more than a decade ago in April 2003.
Ignorance of the rules, or the failure to comply with them, has resulted in multiple million-dollar fines for healthcare organizations and other HIPAA-covered entities – not a blissful scenario at all – and with constantly new rounds of HIPAA audits, here are 7 things you should know about HIPAA compliance.
Unlike the Meaningful Use incentive program, any organization that comes into contact with PHI has no option but to introduce measures to comply with HIPAA – it´s the law. The HIPAA Security Rule, the (revised) HIPAA Privacy Rule and the HIPAA Breach Notification Rule are all examples of the regulations healthcare organizations need to adhere to, to protect patient privacy.
The costs involved in implementing a secure messaging solution, conducting risk assessments and training employees to use the solution are much less than commonly believed. Initial set-up costs are naturally going to vary according to an organization´s size, environment and the nature of its business; but the Department of Health and Human Services has released a Security Risk Assessment Tool to eliminate the cost of outsourcing risk assessments to expensive third parties, and it is recommended that the training of employees to use the secure messaging solution is integrated into regular training sessions to reduce any drain on resources.
The enactment of the Final Omnibus Rule in 2013 doubled the maximum fine for a single violation of HIPAA from $25,000 to $50,000 per compromised patient record. This meant that when the New York-Presbyterian Hospital inadvertently disclosed the unsecured records of 6,800 patients on the Internet, the potential fine for the violation of HIPAA could have been as much as $340 million. Fortunately (for the New York-Presbyterian Hospital) the breach of PHI was settled for $3.3 million.
It is a myth that the implementation of measures to keep communications in compliance with HIPAA will reduce workplace efficiency. The convenience and speed of mobile communication can be maintained – indeed enhanced – when appropriate systems of secure communication are introduced for compliance with HIPAA; and healthcare organizations can retain their BYOD policies if revised to cover staff usage of the secure messaging solution.
The Final Omnibus Rule of 2013 extended the coverage of HIPAA to Business Associates and other third-party service providers to the healthcare industry, included a revised definition of a breach, and new procedures for notifying the Office for Civil Rights of a breach of PHI. The potential consequences of failing to report a breach of PHI can include a federal investigation, even bigger fines and civil legal action from patients who have had their personal information compromised. It’s probably a good idea to avoid a breach wherever possible!
HIPAA compliant communication is not all about putting a secure messaging solution in place and forgetting about it. The administrative requirements of HIPAA stipulate that all covered entities must have documented policies and procedures and that employees must be trained on these policies and procedures. Each organization’s highest priority should still be notifying necessary parties of a breach of PHI.
Breaches of HIPAA do not only result in financial penalties but can also damage the reputation of your healthcare practice or organization. Trust between a medical facility and their patients is of paramount importance for the ongoing success of the medical facility, and breaches of PHI and subsequent OCR investigations can destroy that trust. Implementing measures in order to comply with HIPAA is one of the most certain ways of maintaining trust – and your clients.
Watch our free webinar and discover how a HIPAA-compliant mobile strategy is a great first step in your clinical communication and collaboration journey. Learn tips and best practices from Adam Greene, an attorney and former HHS regulator, who focuses on health information privacy and security, and find out how compliance plays into the larger clinical communications picture.