HIPAA Compliance or Else

The U.S. Dept of Health & Human Services, Office of Civil Rights (OCR), enforces HIPAA and HITECH security regulations. Below are three examples of incidents and fines reported to Congress in 2012. The common denominator is that none of the three practices demonstrated that they had procedures in place to minimize the risk of exposing patient health information.  OCR will be auditing physician practices going forward to ensure compliance. It is important to consider compliance measures to prevent HIPAA violations, but equally important to take steps that prove your continuous commitment of time, effort and resources to an effective compliance program.

Example 1

Phoenix Cardiac Surgery, a five physician practice, agreed to pay $100,000 to resolve charges that it violated the Health Insurance Portability & Accountability Act (HIPAA). A complaint had been filed alleging that the practice was posting surgery and appointment schedules on an internet-based calendar that was publicly accessible. Upon review, HHS office concluded that the practice had done little to comply with HIPAA since the regulations were implemented in 2003/4.

Example 2
The Hospice of North Idaho agreed to pay $50,000 to settle potential HIPAA violations due to a laptop being stolen in June 2010. The unencrypted laptop contained electronic protected health information (PHI) of 441 patients. The Office of Civil Rights (OCR) determined that the practice had not conducted a risk analysis to safeguard electronic PHI.

Example 3
Massachusetts Eye & Ear Infirmary and Eye and Ear Associates agreed to pay $1.5 million to settle potential HIPPA violations following a breach report submitted by the practice to report the theft of an unencrypted personal laptop. The laptop contained electronic PHI of patients and research subjects. Upon investigating, the OCR found that the practice had not taken the necessary steps to comply with the HIPAA requirements.


What is the message from the government? Demonstrate a proactive and ongoing approach to mitigating risks associated with patient privacy regulations