There are several tracks that lead you down a path to BIG trouble with the federal government for HIPAA violations. For brevity we will look at the top three.
#1 – Patient Complaint to the HHS Office for Civil Rights
In the era patients are well informed of their rights, including their right to file a complaint to OCR (Office of Civil Rights: AKA the HIPAA POLICE) if they feel you or your staff violated their rights. These informed patients are dangerous because they are armed. Patients are armed information (or misinformation), with smartphones, and a willingness to broadcast their grievances about situations they experience. I know – it’s not fair your patients can trash you on social media yet if you respond incorrectly to their online rant you’re the one in hot water. I’m not suggesting you ignore getting roasted online. I am suggesting you temper your response to ensure it does not disclose any information that can get you in trouble.
#2 – Snared by OCR’s Audit Program
Few government agencies to proactive enforcement of rules and regulations. Until recently, OCR was no exception. In 2016, however, times changed. The government anticipated widespread non-compliance with HIPAA privacy and information security requirements by Covered Entities and their Business Associates. So, this anticipation, coupled with a REALLY good Return on Investment (government enforcement actions tend to yield between 10 and 20 dollars for every dollar spent on enforcement of regulations (too bad we can’t share in the profits).
There are two types of audits by OCR – desk audits and onsite audits. Reportedly OCR is slated to complete 166 desk audits this year. Of those audits 50 will be selected for onsite audits.
If your organization reported a minor HIPAA breach within the last year you will very likely be selected for a desk audit. A dentist in Fort Worth (Texas) was one such victim. OCR reportedly notified the dental office they had been selected for a desk audit. The office was directed to submit certain documents to demonstrate their compliance. Unfortunately, the dentist never received OCR’s letter and therefore did not respond. Because of the dentist’s “failure to respond” the office was selected for an onsite. I can’t tell you the outcome of that onsite audit because this situation is ongoing. It is here I will end the story in case OCR happens to follow my blog.
During a desk audit a Covered Entity is required to submit a limited amount of paperwork for review. This is conducted off site and is minimally intrusive. If you are selected for a desk audit do not underestimate the potential for OCR to exposure gaps in your office’s compliance efforts.
An onsite audit is an ‘A’ to ‘Z’ audit. This is where you could be compelled to show an investigator your signed Business Associate Agreements; HIPAA Risk Analysis for each of the most recent 6 years (the average dental office has never done a Risk Analysis (on paper anyway)); employee training records; and written policies and procedures relative to workstation use, use of social media by your staff (on duty and off), current Notice of Privacy Practices (posted in lobby and on your practice’s website) and other information. Overwhelmed?
You do not want to be audited. Whatever investigators find is fair game for enforcement actions. Recent OCR settlements have been VERY stiff like a medical practice in Illinois that paid $31,000 for the mistake of not having a signed BAA with a vendor PRIOR to giving PHI access to the vendor (how many vendors have access to your patients’ information and did you have a BAA signed by them prior to giving them access? Do the math on what it would cost you if caught today. Motivating to do something?
#3 – Dentist Reports a Breach to OCR
According to Federal law, when a Covered Entity or Business Associate experiences a breach of Protected Health Information they are required to complete a written Breach Risk Assessment (BRA). If, after evaluating what information was involved, who the information was disclosed to, whether the information was actually viewed or accessed, and what was done to mitigate the situation they cannot state there is a “low probability the affected PHI was compromised” the breach is a reportable breach, you are required to turn yourself in – for a mistake, an accident, a situation that happened outside your immediate control.
Currently, OCR investigates EVERY breach report that affects 500 or more individuals. OCR has publicly stated they are positioning the agency to be able to investigate EVERY reported HIPAA breach regardless of size. OCR Breach investigations look very much like onsite audits (though they may not actually be done onsite). You are on the hook for each HIPAA violation OCR finds (don’t kid yourself they find at least a few if you’re lucky). On a bad day OCR will find a truckload of violations.
The Final Omnibus Rule, published in 2013, specified increased Civil Monetary Penalties (fines) for HIPAA violations. Maximum fines are $1.5 million PER VIOLATION PER YEAR. In 2017 OCR has settled, in a very short time period, more cases than they settled for most of 2016. The $31K settlement (referenced above) is, by far, the lowest settlement. Other settlements were multiple hundreds of thousands to multiple millions of dollars. The average settlement today is $1.2 million compared to $100,000 in 2008. And to think people say it is better to give than receive – not in this sense!
Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore! Give us a call 817-755-0035.