2017 HIPAA fines and enforcement illustrated new trends that all behavioral health practitioners should be aware of. Taking lessons learned from 2017 and applying them to 2018 is your best chance at protecting your practice from the mounting threat of fines.
It’s important to remember that this fine total only accounts for large-scale settlements reached between providers and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Smaller fines that didn’t require drawn-out legal proceedings and Corporate Integrity Agreements are not included in this list, nor are they publicized. That means that the total amount of fines is likely significantly greater than the officially publicized $19.4 million.
To see a total list of HIPAA violations and “meaningful breaches” that affected more than 500 individuals in 2017, you can view the HHS “Wall of Shame.” This is the HHS’ breach portal, which lists the name and State of each and every health care professional or health care vendor that experienced a meaningful HIPAA breach since 2009.
Below, we take a look at some of the major public settlements that defined HIPAA enforcement in 2017. Take stock of how your behavioral health practice stacks up against these enforcement actions so you can avoid making these same mistakes!
- Presence Health, $475,000 fine, January 9, 2017: The Presence Health settlement was the first enforcement action taken for a violation of the HIPAA Breach Notification Rule. The Rule sets national standards that health care professionals must follow in the event of a data breach. This case set a precedent for new enforcement in the aftermath of even the most common of data breaches.
- Memorial Healthcare Systems, $5.5 Million fine, February 16, 2017: OCR sent a strong message by levying the second highest HIPAA fine in history for multiple violations.
- The Center for Children’s Digestive Health, $31,000 fine, April 20, 2017: This fine was levied for the lack of Business Associate Agreements in place between the organization and its vendors. This is a serious breach of the HIPAA Omnibus Rule, which states that all health care providers must execute BAAs with vendors before sharing any health information, or risk fines.
- Luke’s Roosevelt Hospital System, $387,000, May 23, 2017: This fine highlights every practitioner’s worst nightmare: sending a patient’s sensitive health information to an unintended recipient. In this case, NY-based St. Luke’s sent medical records detailing a patient’s HIV+ status and sexual orientation to the patient’s employer by mistake. This is a serious breach of the HIPAA Privacy Rule, resulting in a hefty fine for the mishandling of just a single patient’s health information.
These are just a few of the major fines that shook the health care world in 2017. One of the best ways to protect your behavioral health practice is by implementing an effective HIPAA compliance program. Understanding exactly how to become HIPAA compliant should be the first step on your journey toward success.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including pre-built business associate agreements and full vendor management capabilities.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.