Looking for more HIPAA guidance? Attend our "HIPAA: Facts and Myths about the Law" session at Practice Rx, a new conference for physicians and office administrators. Join us Sept. 19 & 20 in Philadelphia.
Spotlight: Career
Pearls
CME/CE
Subscribe
- Industry News
- Access and Reimbursement
- Law & Malpractice
- Coding & Documentation
- Practice Management
- Finance
- Technology
- Patient Engagement & Communications
- Billing & Collections
- Staffing & Salary
HIPAA Violations for Noncompliance, Not Just Breaches
Even if your practice does not suffer a HIPAA breach of confidential patient data, being noncompliant can land you in hot water as well.
In light of the recent revelation of the breach of patient information at nearly 209 hospitals nationwide by Community Health Services, the need to comply with HIPAA has been brought to the forefront. By now it is common knowledge that breaches must be reported on both a state and national level. Yet, I have been involved in a myriad of conversations that highlight whether or not noncompliance alone triggers a violation. The answer is simple - it does.
The basis for my answer stems from the Federal Register, initially on February 16, 2006, then again on January 25, 2013. (71 Fed. Reg. 8424 (Feb. 16, 2006), as amended at 78 Fed. Reg. 5690 (Jan. 25, 2013). Section 160.306(a) of the CFR expressly states the following:
Right to file a complaint. A person who believes a covered or business associate [or subcontractor] is not complying with the administrative simplification provisions may file a complaint with the Secretary. (Emphasis added).
Notice that the provision says, "complying with administrative simplification provisions." It does not go on to reveal that only in the event of a breach can an issue of compliance be reported. This brings us to an all important compliance area of HIPAA - policies, procedures, and practices. These items are assessed by HHS against the standard of "willful neglect" to determine whether or not a violation exists. Hence, it does not behoove a practice to have "ostrich syndrome" and ignore gaps in compliance. Once identified, they need to be addressed because, "[t]he Secretary may conduct a compliance review to determine whether a covered entity or business associate [or subcontractor] is complying with the applicable provisions in any other circumstance." (78 Fed. Reg. 5690 (Jan. 25, 2013). In turn, this can trigger a request by HHS for records.
If a technical violation is found, according to Section 160.402(a), the Secretary "will impose a monetary penalty" if an administrative simplification provision has been violated. And, if more than one entity is involved, they all will be held responsible.
To sum it all up:
• Do not turn a "blind-eye" to compliance with HIPAA administrative simplification rules;
• A breach is not necessary in order to trigger an investigation;
• Compliance items form the basis for a HIPAA violation; and
• Make sure policies, procedures, and practices are documented.
Related Content
Certifying Your Communications Technology is Secure
July 5th 2021Podcast
Physicians Practice® spoke with Michael Parisi, Vice President of assurance strategy and Community Development at high trust Alliance, about how physicians and practice owners can discern whether or not communications technology they are interested in integrating into their practice is certified secure.
Addressing patient suicide risks in your practice
March 1st 2021Podcast
Physicians Practice® spoke with Dr. Anisha Abraham, author of the book "Raising Global Teens: A Practical Handbook for Parenting in the 21st Century", about signs that a patient may be at risk of suicide and self-harm as well as interventions and communication methods physicians can employ in the clinical setting.
