If you think or readily know that your practice is collecting and handling patients information in a non-compliant way, you are putting yourself and organization at risk for some serious consequences.
Violating the Health Insurance Portability and Accountability Act (HIPAA) is not something to be taken lightly. In 2016 HIPAA settlements cases reached $23 million. In just a few weeks of 2017 alone over $2.5 million was collected just to resolve 2 cases of HIPAA noncompliance. If you are a doctor or someone practicing in healthcare you know that HIPAA enforcements efforts by the government has greatly increased and fines were also risen by roughly 10%.
If your practice has not taken necessary steps to ensure HIPAA compliance across all protected health information (PHI), you should be on high alert and start implementing the necessary precautions to meet compliance standards. Ignoring these precautions puts your entire organization at risk.
Not convinced? Here are 5 consequences your facility or healthcare works could face if your practice is found guilty of HIPAA violations.
If the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) find that your practice is violating HIPAA through an investigation or audit, they will seek to resolve the issue by requiring your practice to go through a stringent deadline-driven corrective action plan. The sole purpose of implementing this plan is to bring your facility up to HIPAA compliance standards. You will be required to do all the work you should have done in the first place, but under the strict thumb and supervision of the OCR. These type of correction action plans require all or some of these actions to take place is a specified amount of time:
- ePHI risk analysis
- ePHI encryption on all devices
- Documentation of policies and procedures related to privacy, security, and breach
- Workforce training
With HIPAA violation comes hefty fines. The purpose of this fine is to motivate practices to always fully operate with HIPAA compliance in mind and hold those accountable who don’t. These fines are tiered and documented per violation, based on the severity and the practice’s knowledge of the HIPAA violation in the first place. There are 4 tiers of fines:
- If the practice was unaware (and could not have reasonably been aware) of the HIPAA violation, the penalty ranges from $110-$55,000 per violation
- If the violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,100-$55,010 per violation
- If the violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,002-$55,010 per violation
- If the violation is due to willful neglect but is not corrected in a timely manner, the maximum penalty of $55,010 per violation applies
It is also important to note that if you have repeat violations that occur in the same calendar year, the penalty is $1,650,300 per violation. The largest HIPAA violation fine ever paid was for $5.5 million after Advocate Health System discovered three data breaches that comprised the privacy of four million patients. Keep in mind that the OCR can even issue HIPAA violation fines even if there is no breach in ePHI. These type of fines would include the failure to maintain secure documentation, failure to properly train employees on best practices, and failure to acquire a Business Associate Agreement (BAA) with any third party service provider.
We have gone through the legal ramifications of HIPAA noncompliance, but these are not the only issues that will arise from violating HIPAA. There are other long lasting effects that will greatly impact your career as a doctor or healthcare provider. If the breach can be attributed to an individual, you are at risk of termination of employment and suspension or dissolution of your license to practice. In 2012 a cardiology nurse unlawfully gained access to medical records and was promptly fired.
Legal ramifications aside, once the word of your HIPAA violations makes it way to press and media your business could be truly damaged. If you are found guilty of compromising your patients’ privacy rights, they will lose trust with you and potentially drop you as their physician and seek healthcare elsewhere. These patients that jump ship are also not likely to recommend your practice to others, leave negative reviews on the Internet, and can easily strip your credibility. Remember, the Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small misstep can blemish your entire reputation.
Depending on the severity of the case, some HIPAA violations can lead to criminal charges. These are cases where the Department of Justice (DOJ) gets involved. While they are rare, jail time may be ordered based on a tiered approach:
- If someone willingly obtains or discloses ePHI, the penalty is up to one year in jail
- If someone obtains ePHI through deception, the penalty is up to five years in jail
- If someone obtains ePHI for personal gain or with intent to harm, the penalty is up to 10 years in jail
These jail time sentences are also typically accompanied by large fines. The fines and jail time for each offense are dependent on the charges as well as the state in which the offense occurred.
What Can You Do To Prepare
If you think or readily know that your practice is collecting and handling patients information in a non-compliant way, you are putting yourself and organization at risk for some serious consequences. When it comes to your phone system, RingRx has you covered. We are the only communication solution that was built with 100% HIPAA compliance in mind. We offer a signed BAA upon start of service and have a fully encrypted platform that meets all HHS standards. Click here to sign up for your free 30 day trial today.