While the Health Insurance Portability and Accountability Act (HIPAA) has been around for eighteen years, there has been a marked increase recently in the enforcement of the HIPAA Privacy and Security Rules by the federal government. While the more spectacular fines get the headlines, such as the $1.5 Million assessed against a New York Hospital and University for disclosing Protected Health Information (PHI) or the $ 1.7 Million settlement with the Alaska Department of Health and Human Services, which resulted from a self-reported breach after a thumb drive was stolen from an employee's car, the smaller guys are starting to feel the pinch.
Phoenix Cardiac Surgery, P.C., a surgery provider owned by two Phoenix physicians, was slapped with a $100,000 fine. In a settlement agreement with the government, the physicians agreed that they did not provide and document training for each of their workforce members and failed to have appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI. They were also found not to have obtained satisfactory assurances of compliance with HIPAA from some of their contractors.
The prudent health care provider must be aware of the numerous self-reporting requirements under HIPAA. A provider must self-report certain breaches of PHI, especially when the provider loses control of the information. In the Alaska case, it was the self-reported theft of a thumb drive containing thousands of patients' PHI that triggered an investigation. Complaint investigations, as seen in the Phoenix case, can also lead to further troubles upon a review of the provider's practices. Thus, careful preparation, training and documentation are necessary elements in ensuring that every medical practice, nursing facility, home health care provider, retirement community with health care services, and other medical providers has fully implemented the training and safeguards mandated by HIPAA. The provider must take steps to ensure its compliance with the security standards and the administrative, physical and technical safeguards. Organizational requirements must be in place and training must be implemented and documented. As with most government programs, documentation goes a long way to demonstrate compliance.
As evidenced by its recent increase in enforcement actions, it seems the federal government has determined that the law has been around long enough such that lack of familiarity with HIPAA is no longer an excuse. The period of the practitioner and HIPAA laws getting to know each other is over, and the reality of HIPAA implementation and enforcement will only become more apparent.