There is a very good article over at AIS’s Health Business Daily that discusses HIPAA and HITECH violations. With the signing of the HITECH Act as part of the ARRA stimulus bill, the penalties for HIPAA violations have increased dramatically. The HITECH Act has also increased the enforcement of HIPAA regulations.
A privacy breach due to “willful neglect” that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million
Covered entities (CEs) — and also business associates, who are now subject to civil and criminal penalties as of this month — need to know what actions (or lack thereof) can push them into the “willful neglect” category, which carries the most severe fines. They may be surprised to learn that routine inaction or procrastination by busy organizations could be categorized as enormously costly willful neglect.
The interim final rule regarding enforcement, published in the Oct. 30, 2009, Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”
Where it gets really interesting is the description of “Willful Neglect”
The most obvious demonstration of willful neglect would be when a covered entity has no preventative policies and procedures in place and a breach occurs. Annulis notes that seven years into HIPAA compliance, it’s unlikely that a CE or BA would have no formal protocol.
Greg Young, the privacy officer at Mammoth Hospital in California, however, believes that many small doctors’ offices and clinics still lack policies and procedures because they “don’t feel it’s necessary or don’t want to spend the money. They just want to take care of their patients, not realizing that part of taking care of patients is taking care of their information.”
If you think that just writing policies and procedures will help avoid willful neglect then read on.
“The greatest danger” for an organization, according to former director of OCR Richard Campanelli, now an attorney with Baker & Daniels LLP, is having policies and procedures that no one is enforcing and that employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in protecting privacy and security, and it won’t be helpful in responding to an investigation,” he says. Once a violation occurs, the fact that the policy exists signals to OCR that the organization knows what it should be doing and has chosen not to comply.
The take away from this article is that you need to have policies and procedures in place for both the HIPAA Privacy and Security rules. These policies and procedures need to be enforced and communicated to all employees. I would tend to guess that a lot of practices have policies and procedures in place for the Privacy rule. Practices will need to develop policies and procedures that comply with the Security rule as well. This is especially true as practices start to create electronic patient health information (ePHI) through the implementation of an EMR, digital x-rays, electronic lab results, billing information, scanned consent forms, etc. The increased use of technology such as laptops, remote access, email, portable disks and smartphones will also require the appropriate policies and procedures.
Here is a final thought that might keep you up at night. Imagine a spreadsheet with financial and demographic information of 250 patients that was saved unencrypted on a laptop. The laptop was taken home by the billing manager and was stolen out of her car. Did you have a policy and procedure which prevented her from taking the information? Was it enforced? Was it communicated to all employees? Is this an unfortunate HIPAA violation or is this willful neglect?
Related posts:
