Having a program is not enough. You might think you’re safe from enforcement action if you have a good HIPAA compliance plan in place for your surgery practice. Not so fast: A recent penalty levied by the feds suggests that having a plan in place is not enough — if you fail to follow your own plan. Check Out This Case Recently, an HHS Administrative Law Judge (ALJ) ruled on the side of the HHS Office for Civil Rights (OCR) against the University of Texas MD Anderson Cancer Center, according to an agency release on the subject. Here’s why: MD Anderson sidestepped its own risk analyses, failing to encrypt devices that contained electronic protected health information (ePHI). The ALJ decision was in line with the OCR’s Notice of Determination and “stated that MD Anderson’s ‘dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,’ a risk that MD Anderson ‘not only recognized, but that it restated many times,’” the OCR release mentioned. Consider this Compliance Refresher A few years back, the HIPAA Omnibus Final Rule introduced and solidified a new penalty structure, as well as new definitions relating to HIPAA violations. The definitions for three terms in particular are pivotal under the penalty system. What’s more: Willful neglect violations must be investigated and penalties are mandatory, points out HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont, and the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions allow continued corrective actions, even if there’s no penalty. Plus, your state Attorney General can bring HIPAA actions, too. Review the Tiered Penalty Structure The ALJ put MD Anderson’s actions within the Tier 2 level of HIPAA violations, according to the ALJ decision. “This is the second summary judgment victory in OCR’s history of HIPAA enforcement, and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations,” stated the agency release on the subject. The size of such a large Civil Monetary Penalty (CMP) for a second level HIPAA violation is significant, and may be a harbinger of things to come. Remember, the feds instituted section 13410(D) of the HITECH Act, which became effective for HIPAA violations on or after Feb. 18, 2009. Sheldon-Dean breaks down the penalty tiers: Inflation: Don’t forget that HHS tweaked these baseline fines in the name of inflation back in 2016 as mentioned in an interim final rule published in the Federal Register. The changes are applicable to violations occurring after November 2, 2015. Here’s the maximum amount each HIPAA violation may cost you under the CMP adjustment: The adjusted CMP is an increase from $50,000 per HIPAA violation with a past annual cap of $1,500,000. Resource: Read the ALJ’s decision with CMP details at www.hhs.gov/sites/default/files/alj-cr5111.pdf.