Eight BIG reasons why organizations need HIPAA audits
The Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of the U.S. Department of Health & Human Services (HHS) to provide for periodic audits to ensure that covered entities (such as group health plans) and their business associates comply with the HIPAA privacy and security requirements.
HIPAA Privacy Provisions
HIPAA’s Privacy provisions became effective 04/14/2003 and 04/14/2004 for Large Plans and Small Plans respectively. For these purposes the same definitions as those used by the SBA apply. The Privacy provisions, when integrated with HIPAA’s Security provisions, require operational, document and educational performance. Adherence to Best Practice generally minimizes the possible considerable personal exposure of clients’ employees. HHS audit are now ongoing and companies need to understand the risks they now face.
The initial key reasons we see this pressing need for HIPAA audits include:
1) There is an ongoing national pilot HIPAA compliance audit project through the Office of Civil Rights (“OCR”) that could present a high level of risk. Audits by mail are also occurring and the industry expects all types of audits to increase. An unsuccessful audit can reflect negatively on a business brand and client confidence.
2) Covered Entities and Business Associates must stop doing business with an entity in Breach until such time as it can document that the Breach has been fixed. Although important all-around, this is especially important to those providing medical care and insurance-type services.
3) Corrective measures and business costs in the event of a Breach ranges from $90 to $305 per record with an average of $200 per record.
4) Individuals can be personally responsible.
5) There is a significantly increased level of risk and probability of failure in the absence of adequate compliance measures.
6) A Breach that impacts 500 or more individuals MUST be posted on a government website. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
7) Civil monetary penalties (“CMP”) may apply to a Breach. The amounts are related to the severity of the Breach with categories of “Did not know” (a) through (d); “reasonable cause but not willful neglect” (b) through (d); and “willful neglect”(c) through (d).
a) $100 per violation not to exceed $25,000 per calendar year,
b) $1,000 per violation not to exceed $100,000 per calendar year,
c) $10,000 per violation not to exceed $250,000 per calendar year, and
d) $50,000 per violation not to exceed $1,500,000 per calendar year.
8) Criminal actions
a) Knowing violations of up to $50,000 and/or a year in prison
b) Misrepresentations (false pretenses) of up to $100,000 and/or five (5) years in prison
c) Intent to sell, distribute, etc. Up to $250,000 and/or 10 years in prison