By W. Patrick Davey, MD, MBA
What I’m about to tell you will terrify you. I hope you’ll be scared enough to take action to protect your practice so that this doesn’t happen to you.
Recently, a dermatology practice in Massachusetts settled a $150,000 Health Insurance Portability and Accountability Act (HIPAA) penalty after an unencrypted thumb drive was stolen from a vehicle that was owned by one of its employees. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) said the HIPAA penalty was not just for the stolen thumb drive, but because the practice had not identified the thumb drive in a HIPAA risk analysis and had not managed this risk to protect its patients’ data.
The Sept. 23, 2013 deadline to comply with HIPAA has come and gone, and now the OCR is on a quest to make examples of practices that have not addressed the required changes to HIPAA stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH). Congress passed this act in 2009 to provide regulations to safeguard electronic health information and incentivize physicians to adopt electronic health records (EHR) through the Meaningful Use program.
It is essential that practices establish good risk-management processes and conduct ongoing staff training to be able to identify and mitigate risks through a compliance plan to prevent a harsh audit.
The new rule sets forth a fine structure where practices pay — based on the degree of their willful neglect — up to $250,000 per violation and face imprisonment for up to 10 years. A provider could be subject to more than $1.5 million in fines if it violates several provisions of HIPAA, or does so on multiple occasions.
OCR has significantly expanded HIPAA enforcement activity since the passage of the HITECH Act in 2009. Moreover, OCR has awarded a $9 million contract to an audit firm to help investigate HIPAA compliance. These audits are ongoing and early results indicate this model to be an effective means for OCR to monitor HIPAA compliance. As a result, increased audits and civil and criminal enforcement actions are likely to increase and become more costly in the future.
Scared? Good! Now protect yourself
Have I succeeded in scaring you? Good! Now let’s focus on how to protect your practice against a draconian HIPAA audit.
As vice chairman of the board of directors of the Accreditation Association for Ambulatory Health Care (AAAHC), I’ve heard many accounts of HIPAA inspections, audits, and corrective action plans. If you’re not prepared when auditors show up at your practice, it won’t be a pleasant experience. So, as we say in health care, an ounce of prevention is worth a pound of cure. It is essential that practices establish good risk-management processes and conduct ongoing staff training to be able to identify and mitigate risks through a compliance plan to prevent a harsh audit.
To help protect your practice, the Academy has developed a new HIPAA manual, A Guide to HIPAA and HITECH for Dermatology. It contains a model business associate agreement, model notice of privacy practice form, breach notification requirements, and other guidelines, tools, and worksheets that explain all of the new HIPAA regulations.
For the small cost of this manual, you can prevent a hefty fine. You can order the manual online or call the AAD’s Member Resource Center at (866) 503-SKIN (7546).
The Academy has also developed a series of educational recordings about HIPAA that are focused on the new regulations, as well as privacy and security requirements. Train your staff about the new changes and ongoing HIPAA requirements at www.aad.org/webinars. You can also visit the Academy’s HIPAA Web page at www.aad.org/hipaa for additional resources.
Remember, the best defense is a good offense. Use Academy resources to ensure you have appropriate policies and practices in place before the auditors show up at your door.
Dr. Davey is president of Dermatique, a medical, surgical, and cosmetic dermatology practice in Scottsdale, Ariz. He has served on multiple committees for the American Academy of Dermatology, American College of Mohs Surgery, American Society for Dermatologic Surgery, and the Accreditation Association for Ambulatory Health Care (AAAHC). He is chairman of the AAD Practice Management Committee, vice chairman of the board of directors of the AAAHC, on the board of directors of the Institute for Quality Improvement, on the SkinPAC Board of Directors, and on the ACMS Public Policy Committee.
Email the Member to Member editor at firstname.lastname@example.org.