The Risk Of Not Paying Attention to HIPAA Violations

HIPAA, HIPAA violations, HIPAA compliance

By Jacqueline Bain

On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.

The HIPAA violations mentioned in the HHS Press Release include:
1-Loss of paper patient records in December 2012;
2-Loss of additional paper patient records in January 2013;
3-A media report containing patient information (a photo shared on social media);
4-Employees accessing the information of one patient without a job related purpose;
5- An employee’s improper access and sale of patient records in 2011.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.

When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.

When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.

Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.

Medicare November Emergency Preparedness Deadline Quickly Approaching

By: Sharon Parsley 

It is not news that Hurricanes Harvey and Irma have rocked Texas and the Florida mainland, and Irma has left unimaginable damage throughout the Caribbean and Florida Keys.  During both hurricanes, considerable media attention was directed to how well hospitals and other sub-acute care providers in the affected areas were prepared for and responded to these events.  When coupled with the loss of multiple lives occurring at the Rehab Center at Hollywood Hills, seemingly due, at least in part, to exposure to extremely elevated temperatures during an extended power outage, emergency readiness should be near the top of every health care provider and supplier agenda.  Providers and suppliers should also be mindful of a rapidly approaching regulatory deadline Medicare requirement for continued participation on the topic of emergency preparedness.

While the Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers regulation (the “EP Reg”) was published in the Federal Register in September of 2016, providers and suppliers falling into one of 17 categories are required to comply with the EP Reg on or before November 16, 2017.  Among those provider and supplier types affected are hospitals, ambulatory surgery centers, psychiatric residential treatment facilities, home health agencies, and certain clinics and rehabilitation service providers. Continue reading