It could be worse…

shutterstock_139688779About this time every year, I update my HIPAA research, including evaluating all of the large breaches that have occurred in the past year.  OCR (the Office of Civil Rights) is responsible for enforcing HIPAA regulations and their website has a list of all breaches that have occurred that include the private health information (PHI) of 500 or more patients in a single geographic area (HIPAA’s wall of shame).   I then check out HIPAA’s enforcement proceedings to see specific cases and what penalties were actually levied (HIPAA resolution agmts), and I also consider those incidents that I have personally encountered in the past year.

Since the 2013 changes, there are definite trends emerging.  First, I have noticed that the size of the entity does appear to affect the amount of the fine; in other words, hospitals and other large entities are generally fined more than individual offices for similar offenses.  That doesn’t mean that the fines for smaller organizations are insignificant.  (Well, they may be insignificant to the federal government, but I don’t find a $125,000 fine to be “insignificant” for any small business.  However, no one cares about my opinion on this, so, whatever.)

Secondly, it appears that the largest penalties are reserved for those entities who aren’t making a reasonable effort to comply with the regulations.  For example, although the HIPAA regulations do not absolutely require that encryption be used for all computers and electronic devices that contain patient PHI, they do make it clear that encryption must be considered as a reasonable precaution.  The resulting penalties to those who do not choose encryption also make it clear that, if there’s a chance that your computers and devices could be lost or stolen, then encryption is the proper choice. Those small entities that have not chosen encryption and have then been breached have received penalties ranging from $50,000 to $150,000 per incident.

It is also clear that all computer systems must be current, properly maintained, adequately secured, and all software must be up to date, especially security software.  Firewalls must be sufficient for the size of the system, all security software must be kept up to date and updates should be installed as they become available.  Software that cannot be supported and updated, such as Windows XP, should not be used because it allows hackers easy access to PHI.  (I know it sucks to have to upgrade computers and software, but that’s just a cost of doing business.  If you want to use computers in your dental office, they have to be adequate, or information can be accessible.)

Programs must be regularly maintained and updated, blah, blah, blah.  Check out previous blog posts, my website, and my articles to see information on how to get your office in compliance.

The point of all this is that it appears that making an effort can make a difference.  I have a friend whose office was burglarized and 1600+ paper records were stolen.  Because he had properly trained his people, regularly maintained his HIPAA program, and because he had properly secured the facility (the burglary didn’t result from any negligence on the doctor’s part) and properly reported the breach, he was neither fined nor penalized.  In other words, he did what he was supposed to do and the HIPAA folks didn’t punish him.

That’s huge.  It means that we may have some level of control over our own destiny.  We can do the best we can to regularly maintain our programs, document training, and properly secure our computers, and if something bad happens, we may be able to avoid a large fine or penalty.  That’s good to know.  (Now, let’s not go crazy here…I will still be renewing my HIPAA data breach insurance policy next year, and I still realize that I could get some freak HIPAA inspector that is totally unreasonable, but the bottom line is that the trend is positive).

Anyway, hope this info makes you feel a little better and a little less overwhelmed!  Have a great week!

Laney Kay