Maintaining compliance with HIPAA, TCPA, the FTC, and the host of other regulatory boards is complicated. An inadvertent error can result in massive fines, but there is much to be gained from a smart online strategy if you avoid the minefield of potential violations. For the next five weeks, we’re breaking down five marketing landmines that risk HIPAA and regulatory compliance. Each article will cover one of the five landmines, and each article will conclude with an opportunity for readers to download a white paper that explains all five landmines in greater detail. Our goal is to help you ask the right questions about your practice; and ask your vendors the right questions. If they get HIPAA wrong, you will be the person who burns. Let’s get started.
Just as the IRS conducts audits to address noncompliance, the Office of Civil Rights (OCR) began the same when initial audits showed HIPAA compliance was about 10 percent. HIPAA enforcement was once associated with suggested procedural improvements and enhanced training. Now, enforcement is associated with enormous fines. Proactive implementation of HIPAA requirements is the simplest, cheapest way to prepare for an OCR visit. Part of the HITECH legislation requires covered entities to notify patients when a data breach occurs and if the violation affects more than 500 patients, media outlets are notified.
So, what does an audit entail?
An investigation by the OCR might be a paper audit or on-site audit and would require your practice to provide the following…
1. The most recent HIPAA Security Risk Assessment (SRA) and documented work plan to address any issues discovered in the SRA2
2. Evidence of documented HIPAA Security and Privacy Policies and Procedures, including evidence your organization has implemented and is following the Policies
3. Evidence that employees have received periodic HIPAA Security and Privacy training (this should be ongoing training that occurs at least once a year)
4. Evidence of a security incident response plan
And what happens if you fail to pass a HIPAA audit?
Ever heard of the Wall of Shame?
It lists all cases meeting a modest threshold where covered entities inappropriately disclosed PHI, including the number of patients affected, the corrective action taken, and settlement paid, if any.
You do not want to be on the Wall of Shame. And then there’s the matter of the fines…
There is always the potential of an audit, but if a HIPAA incident occurs, and all these documents have been created upfront, it is an explanation. If you have to create these documents after the fact, it is considered “an excuse.” Likely, the penalties will correspond accordingly. For more details, download and read the full white paper below. And if your research raises any questions, let us know in the comments below!
So, in conclusion…