With fines ranging from $100 to $50,000 per violation it is important to frequently monitor your HIPAA compliance and keep your organization in check. There are three key reasons organizations are fined under HIPAA. The policies and procedures in place are either not enough to protect, or they are not being followed, the organization has not done a meaningful Risk Assessment and a Business Associate Agreement is not in place. When just one employee’s actions can result in a HIPAA violation, it is vital to reinforce and educate continuously.
HIPAA regulations require regular security risk assessments. Regardless of its legal necessity, performing this assessment allows you to uncover any vulnerabilities that could lead to a breach. Identifying your weakness is the first step in minimizing your risk of being fined under HIPAA.
Training and educating your employees is one of the most important forms of breach prevention. The majority of HIPAA breaches are caused by a single employee accidentally violating confidentiality. Ensure all of your employees are trained in how to safely access and transfer data according to procedure as well as regularly auditing access permissions for all users in your network.
If your organization works with any associates that have accessibility to confidential data, without a Business Associates Agreement, you are liable for a breach. Having a Business Associates Agreement in place ensures you will not be held responsible for a mistake made by an associate. This is a simple and easy way to protect your organization.
Respond immediately to any suspected breach and report a known breach as soon as you are aware. It is always best to be safe and report the breach, rather than end up wishing you had.
Here are some stats that might make your checkbook cringe:
As of July 31, 2016 the OCR had received over 137,770 HIPAA complaints and initiated over 885 compliance reviews.
| Entity | Settlement | Date | Key Allegations |
|
Care New England Health System (CNE) |
$400,000 + | September 23, 2016 | Business associate agreements not up to date |
|
Advocate Health Care Network |
$5,550,000 | August 4, 2016 |
Policies and procedures lacking, Insufficient risk assessment, Lack of business associate agreements |
|
University of Mississippi Medical Center |
$2,750,000 | July 21, 2016 |
Policies and procedures lacking |
|
Oregon Health & Science University |
$2,700,000 | July 18, 2016 |
Policies and procedures lacking, Insufficient risk assessment, Lack of business associate agreements |
|
Catholic Health Care Services of the Archdiocese of Philadelphia |
$650,000 | June 29, 2016 |
Policies and procedures lacking, Insufficient risk assessment |
|
New York Presbyterian Hospital |
$2,200,000 | April 21, 2016 |
Disclosure of two patients’ PHI to film crews and staff during the filming of television series |
|
Raleigh Orthopedic Clinic, P.A. |
$750,000 | April 19, 2016 |
Lack of business associate agreements |
|
Feinstein Institute for Medical Research |
$3,900,000 | March 17, 2016 |
Policies and procedures lacking |
| North Memorial Health Care of Minnesota |
$1,550,000 |
March 16, 2016 |
Policies and procedures lacking, Insufficient risk assessment, Lack of business associate agreements |
Don’t leave your organization vulnerable when comply with HIPAA can be simple with planning. Turn to Crossroads Technologies for help with all of your healthcare organization’s IT needs and Compliance advisory.