By Jim Johnson, President, LiveCompliance, a partner service for GroupOne Health Source Inc.
Twitter: @GroupOne_Health
Although healthcare facilities of all sizes and types are required to choose a HIPAA compliance officer to make sure that regulations are followed, some choose to blend the role with an existing one. For small to medium-sized practices, the thought of hiring a full-time HIPAA compliance officer may seem financially unfeasible.
While you may feel that an existing staff member is capable of fulfilling this role along with their other responsibilities, it is worth investing in someone who will ensure that HIPAA regulations are consistently met. This will help you and your practice avoid serious penalties associated with failing to comply.
Penalties and Repercussions of HIPAA Violations
Understand that the penalties of not complying with HIPAA regulations are substantial. In addition to big civil or criminal repercussions, failing to adhere to the guidelines can cost your practice anywhere from $100 to $1.5 million. In some cases, failing to comply with HIPAA regulations may cause termination of employees and/or your practice.
There are four types of potential civil monetary penalties associated with HIPAA violations, with penalty amounts increasing with each tier:
1) Individual did not know the act was a violation.
The fine in such a case is $100-$50,000 per violation, with a maximum of $1.5 million for same violation occurrences within the same year.
2) Reasonable cause/ not due to willful neglect.
The fine for this violation type is $1,000 – $50,000 per violation, with a maximum of $1.5 million for same violation occurrences within the same year.
3) Willful neglect but corrected within required time frame.
The penalty in this case is $10,000 – $50.000 per violation, with a maximum of $1.5 million for same violation occurrences within the same year.
4) Willful neglect and not corrected.
The penalty for this violation type is $50,000 per violation, with a maximum of $1.5 million for same violation occurrences within the same year.
There are three main tiers of potential criminal penalties for HIPAA violations:
- Unknowingly/ with reasonable cause: The penalty for this type of violation is up to one year of potential jail time.
- Under false pretenses: The penalty for this type of violation is up to five years of potential jail time.
- Personal gain/ malicious reasons: The penalty for this type of violation is up to ten years of potential jail time.
Counting HIPAA Violations
In July 2016, reports indicated that there were 142 health care data breaches, affecting over 500 records so far this year, which almost exactly matches the amount of breaches reported during the same time frame in 2015 (143).
The cause of these data breaches were unauthorized access, hacking or network server incidents, loss or theft of devices used to store PHI, loss/theft of physical records and wrong disposal of records.
In September 2016, the HHS Office for Civil Rights (OCR) indicated there were 114 breaches of network servers (affecting over 122 million people), 257 breaches of laptops (affecting 5.4 million people), 257 breaches of laptops (affecting 5.4 million people), and 243 breaches of paper records and films (affecting fewer than 1 million people).
What a HIPAA Compliance Officer Can Do for Your Practice
The job of a HIPAA compliance officer is to grow, apply and manage a HIPAA compliance program for your practice. While this may sound like a temporary or part-time role, there is quite a list of duties that your compliance officer can and is responsible for.
First; a HIPAA compliance officer is normally in charge of keeping your practice updated on the latest federal and state privacy laws, and educating other employees about these updates.
A compliance officer will likely be in charge of creating Notice of Privacy Practices (NPP), as well as posting and/or distributing these documents. Your compliance officer can also be tasked with maintaining records of every patient’s acknowledgment of receiving this NPP document.
Your HIPAA compliance officer should be responsible for providing all information requested by patients as well as other staff members about HIPAA as it relates to the privacy and security of protected health information (PHI). In addition to answering questions about policies and regulations, your compliance officer is tasked with handling complaints from both employees and patients about reported HIPAA violations.
Along with the day-to-day tasks that come with ensuring your practice is in compliance with all HIPAA regulations, a HIPAA compliance officer will usually be the person who communicates with the HHS Office of Civil Rights (OCR) during compliance reviews and/or investigations.
Better to Be Safe Than Sorry
So should your practice hire a HIPAA compliance Officer? A full-time HIPAA compliance officer will be fully dedicated to his/her role, with no other administrative or clinical tasks taking priority at any time.
If you want to be sure you’re doing everything you can to protect against data breaches and costly HIPAA violations, hiring a full-time compliance officer may be a good idea for your practice.
This article was originally published on GroupOne Healthsource and is republished here with permission.