When you outline your office budget, put cash aside for compliance planning.
It’s safe to say that avoiding fraudulent claims has always been a best practice, but increases to CMPs serve to drive that point home. And, if you think that small practices are exempt, you’re wrong. It’s no surprise why the feds continue to go after HIPAA offenders with a vengeance — breaches cause havoc to the business of healthcare, to patients’ privacy and safety, and destroy the integrity of the industry.
Don’t Gamble on Risk
The breach at Children’s Medical Center of Dallas highlights how just one lost phone and unsecured laptop can lead to staggering financial losses. The lack of encryption and the lack of seriousness with which the hospital ranked HIPAA compliance is what garnered the organization a $3.2 million fine.
“The high impact cases OCR moves forward with are intended to send a message to the industry,” says Kathleen D. Kenney, Esq, of Polsinelli LLP in Chicago, Illinois. “With that in mind, I advise our clients to use these cases as learning opportunities.”
Kenney recommends that practices investigate the corrective actions of these large-scale breaches and learn from the mistakes. “Ask ‘could this happen to my organization?’,” she says, “And, if the answer is ‘yes,’ use it as an opportunity to voluntarily take corrective measures.”
Stiffer penalties. The Department of Justice’s (DOJ) interim final rule adjusting CMPs for inflation was published last June in the Federal Register. Annual adjustments for inflation are mandated by the Bipartisan Budget Act of 2015 and are in effect for fines assessed beginning in August 2016 and are applicable to violations occurring after November 2, 2015.
Here’s the maximum amount each HIPAA violation will cost you under the new CMP adjustment:
Could This Happen to You?
Two recent issues with the loss of Protected Health Information (PHI) over the past week spotlight how a small practice might run into trouble.
Budget for HIPAA or Pay the Price
If your small practice struggles with HIPAA, you may need to consider updating your compliance protocols, especially with the onset of quality-backed initiatives under MACRA. As the priority in healthcare is now clearly focused on the patient, putting his or her privacy and security first will be paramount.
Money matters. The upkeep and implementation of a HIPAA plan can be costly but pushing it to the last line item on your budget is a mistake.
“For a long time, and still today, many compliance officers struggle to get the budget they need from upper management/executives to invest in their privacy and security program,” observes Kenney. However, she maintains that investing upfront is essential and can be “night and day” if the OCR should come knocking.
Once you’ve set aside funds for compliance, Kenney suggests you follow these steps when setting up a HIPAA compliance plan:
Reminder: Preparation is the key to success in life but also in compliance. “With precautionary measures in place,” she adds. “I do think (based on my experience at OCR and on the other side of the table now), you can catch potential breach incidents before they happen or demonstrate to OCR that although a breach did occur, your organization had a plan in place and does not have a systemic issue when it comes to HIPAA compliance.”