The government has convicted HIPAA violators -- make sure you-re not at risk HIPAA compliance may no longer be at the top of your to-do list, but that doesn't mean it should fall off of the list all together. As most practices know, the HIPAA privacy rule went into effect in April 2003. At that point, you couldn't walk out your office's front door without hearing a HIPAA best practice or tip. But almost five years have passed since then, and in some offices, HIPAA has been put on the back burner. Reality: The U.S. Department of Justice is watching covered entities that violate privacy rules, so you can't turn your back on HIPAA anytime soon. Make sure you-re keeping up with these expert tips. Protect Patient PHI The HHS Office of Civil Rights (OCR) has received more than 32,487 privacy complaints and has resolved 5,509 of those cases by asking practices to change their privacy practices and requesting other corrective actions, according to the OCR Web site. The top HIPAA complaint that the OCR received was regarding impermissible personal health information (PHI) disclosure, followed by lack of PHI safeguards. Private practices were the number-one type of covered entity required to take corrective action to comply with HIPAA, followed by hospitals, outpatient facilities, health plans and pharmacies. "So far, there have been no financial penalties imposed following these investigations because the OCR would rather have people complying with the privacy regulations than collect money," says Michael B. Glomb, Esq., with Feldesman, Tucker, Leifer, Fidell, LLC in Washington, D.C. "You only have a penalty imposed if they found a violation and you decided to ignore their recommendations to fix it." Check yourself: If you-ve let PHI security slip off your radar in your billing practices, now may be the time for a review. Check the following billing areas to ensure you-re keeping up with HIPAA PHI best practices. Be sure that you-re not e-mailing patient PHI to carriers for claims status checks. Check to see that your practice has a business associate agreement (BAA), which allows you to legally share PHI, with any outside collectors you use. If you have an in-house collections policy of sending letters and making calls before forwarding past-due accounts to an outside collector, you should outline this policy in your Notice of Privacy Practices (NPP). Avoid leaving detailed messages on a patient's phone that contain patient information. Keep in mind: The Department of Justice isn't going after people who leave their computer screen turned on with the patient schedule showing, says Kirk J. Nahra, Esq., with Wiley Rein, LLP in Washington, D.C. "Most of HIPAA is just a question of good practices," he says. "People aren't going to jail for the minimum requirements under the privacy regulations. They-re getting into trouble for things like stealing patient information."