The United States Department of Health and Human Services (HHS) is cracking down on HIPAA violators. Now, more than ever, there is just about zero mercy shed on any practice, large or small, if they are discovered to have made an error in patient confidentiality. On April 17, the HHS made an example out of a physician’s office in Phoenix, Arizona. The practice has only five doctors, but despite being what some may call a small business, they must pay the hefty fine of $100,000 for violating HIPAA privacy and security rules. While this sanction may seem unreasonable for such a small practice, it is simply demonstrating the zero tolerance policy that HHS has regarding HIPAA violations.
A complaint was filed against the practice retroactive to discovering an online calendar that the public had access to. On this calendar were patients’ appointment schedules and even a list of scheduled surgeries. After an HHS investigation took place, it was discovered that employees of the firm were grossly misinformed when it came to knowing the rules and regulations of HIPAA. A second red flag was shown when investigating the amount of effort the company put forth on their policy protecting patient information.
While these two violations are most alarming, there were many other conduct errors found including a failure to obtain a legal business associate agreement in reference to scheduling and email services, and there was no report of risk analysis. All of these violations resulted in the aforementioned six-figure fine.
The message sent here is clear: Follow the bylaws of HIPAA, or suffer major financial consequences. Leon Rodriguez, director of the HHS Office of Civil Rights was quoted in saying “This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.” He went on to discuss his desire for companies to comply with the changing rules of HIPAA no matter the size or prominence of the practice.
It is imperative to educate yourself and your staff about the current HIPAA rules. For more information on HIPAA compliance, view our webinar “Protect PHI & Manage Risk – HIPAA/HITECH Compliance” and learn more about managing your risk of a data breach, achieving breach notification safe-harbor status, and encryption and key management best practices.