HIPAA Security Rules: Avoid Penalties for Non-compliance


It is very important to have control over the devices accessing the information to maintain HIPAA compliance. When you're talking about enforcements and audits and things like that, there is a new program in place that’s part of the new enforcement categories, since we have a new category for willful neglect of compliance. That's where you have a conscious, intentional failure or reckless indifference to the obligation to comply.

In other words, if you say, “We don’t care about this stuff. We're not going to do it. It's stupid. I hate it” well, you can feel that way all you want but if you just feel that way and they decide to ask you some questions, you may wind up getting hit with willful neglect violations and they have not been shy about issuing these.

One organization decided to ignore investigation about some complaints. And they went up to the penalties that went - rack up to $50,000 not just $10,000 because they ignored the investigator for more than 30 days. And the investigator - HHS decided, “Well, listen, we're going to levy these penalties on a daily basis”. So they racked up $1.5 million worth per year maximum over two years, that's $3 million worth of penalties for willful neglect alone, for a little violation that they've had. That’s a hell of a violation and against HIPAA compliance. Well, they're ignoring requests to turn up their records, not a good thing.

The list includes the lack of security process, lack of security for portable devices and insecure laptop, no process, lots of fines, lots of penalties for stuff that has been lost, okay, stuff that has gotten on other people’s hands that should have been secured.

If it had been secured, if it was properly assessed in a security risk analysis and then had the risks considered mitigated, there would not have been a problem. When they come to the door and there's been a breach and they find there's been no risk analysis, no process for determining what the risks are and mitigating them and something hasn’t been secured and it’s lost, they're making an example of you. And so, you can see by this, they're covering large organizations, small organizations.

Now, the HIPAA security rules violations for that doctor’s office for $100,000 that was just two physicians in that doctor’s office. They’ve been – they had an appointment calendar on the web but not been having it secured properly and that each of them just lost a year’s worth of college tuition for one of their kids. So they're not very happy. But these settlements are happening -- large organizations, small organizations, health plans, Medicaid, hospices, physician’s offices, hospitals, whatever, they're coming after everybody. Making it clear you got to be in compliance with the HIPAA rules.

So where do you start for security – for HIPAA security rules compliance? A great place to start is the NIST HIPAA Security Rule toolkit. It'll help you review your policies and discover risk issues. Again, it is a large project to go through this but definitely download it and take a look. It'll take you through – it's very useful – really, a very useful product and can be very good for documenting your compliance and make it so that if somebody asked you about this particular regulation or that regulation, what do you have? You can point to it in your toolkit and say, “Here's the documentation that I have for that. And here's what I can show you about that.”

So make sure you document things, have a good HIPAA risk assessment and review your policies and procedures and make sure you get things updated. And have a good plan for going forward. One of the most important things you can do is to have a plan in place for going forward. And of course feel comfortable with all those questionnaires.

Make sure you document things. Any policies and procedures, any action activity or assessment that you do pursuant to the compliance with the rules, you need to have that properly documented, okay, so you can show your medical compliance if you get audited or you can also use it to help you – help you, you know, keep your work going more fluidly, more smoothly.

HIPAA Training Tip: You can organize your documentation a couple of ways. One is through the NIST HIPAA Security Rule toolkit, or you can also take the HIPAA audit protocol which you can download. Now, the idea is you don’t want just to use the web tool that they have available there. They have an option for you to be able to download it so you can download it and put it in the spreadsheet.

And then for all the questions that they might ask you, you can say, “Well, here's how we will answer it. Here are the policies and procedures. Here's our documentation” so you can be prepared to answer any questions they might give you anytime right away if you're audited. That's the best thing you do is be prepared on a moment’s notice. You must take a look at the healthcare audit protocol and then build on that to show what you have going to have in place and use that to guide your compliance efforts.

Get up to speed on major healthcare guidelines updates with medical coding and billing, long term care and home health conferences and webinars at