HIPAA/HITECH Compliance for the Private Medical Practice: It’s time to “kick the tires” on your organizations Policies & Procedures
In 1996 the United States government enacted the Health Information Portability and Accountability Act (“HIPAA”). HIPAA contains Privacy and Security regulations, which require covered entities to implement safeguards to protect confidential patient information, and to inform patients if their information is compromised. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH”) dramatically increased the scope of HIPAA coverage to include a myriad of entities (“Business Associates”) that interact with healthcare providers.
HITECH and Health Reform have changed the game. If a provider is found noncompliant with HIPAA rules, the organization can now be fined up to $1,500,000.00 per calendar year for each violation. Moreover, the fine is usually just the beginning, as legal fees, additional fines, reputational loss, investigations, consulting and audits can quickly turn the situation into a financial catastrophe. Additionally, patients whose information has been compromised may now receive compensation through civil lawsuit monetary settlements. In sum, the importance of HIPAA/HITECH compliance cannot be overstated; and compliance is mandatory for ALL providers – from the solo practitioner to large health systems.
This means that even as a solo practitioner, you MUST:
i) Have, maintain and update your organizations Policies & Procedures, and be able to prove that you have information handling process in place, and that you adhere to these process
ii) Have written agreements with all Business Associates and prove that your Business Associates comply with HIPAA regulations
iii) Verify and ensure that appropriate safeguards and security measures are in place to prevent unauthorized access to sensitive patient information
HIPAA’s Security rule mandates that covered entities shall periodically conduct a risk analysis. The results of these internal risk assessments will be requested if your organization is selected for an audit. For Providers who have not conducted an internal risk assessment within the last year, they should do so now and start 2013 knowing that their practice will pass scrutiny when selected for an audit. For more information on the HIPAA audit process and to learn why your organization may be at risk, feel free to contact the LaBovick law group.