Risks of Non-Compliance
HIPAA seriously impacts both the organizational and operational aspects of healthcare providers, businesses and government entities that use or provide resources involving "Protected Health Information" (PHI), including group health plans. HIPAA is a PRIVACY ISSUE concerned with more than just electronic transfers and technical security. It is a legal mandate dealing with PHI. Elements of HIPAA can affect many areas of organizations with serious risks for non-compliance.
NON-COMPLIANCE with HIPAA brings risks of FINES, JAIL & LAWSUITS that can impact either individuals or corporate entities.
NON-COMPLIANCE exposes an organization to complaint-driven Federal audits that may be initiated by unhappy employees, vendors, clients or citizens and the organization MUST assist the complainee in filing the complaint.
JUDICIAL PROCESS FOR NONCOMPLIANCE . . .
NON-COMPLIANCE may result in Federal prosecution. Those responsible for illegal disclosure of PHI face penalties such as . . .
INCIDENTAL VIOLATIONS may result in fines from $100 per incident up to $25,000 for the same violation per calendar year.
WRONGFUL DISCLOSURE is prosecuted by the Department of Justice and penalties can range from $50,000 and 1 year in prison up to $250,000 and not more than 10 years in prison for responsible parties.
LAWSUITS by parties claiming that they have been damaged by release of PHI can be extremely costly. Cases involving significant awards have already set precedents for future legal actions.
MITIGATION STEPS
In the event that a security breach or data loss occurs involving PHI, HIPAA requires that specific steps be taken to address such an incident and that actions are documented. The mitigation process is a critical step in addressing breaches.
RISK EXAMPLE - School District
HIPAA ENFORCEMENT ISSUES
What are the costs of non-compliance with HIPAA for School Districts?
The risks of non-compliance with the Health Insurance Portability and Accountability Act (HIPAA) include the potential of civil actions, fines and penalties, class action litigation and criminal prosecution in some cases of deliberate mishandling of “protected health information (PHI) as defined by HIPAA regulations. This worksheet is designed to assist decision makers in determining the risks that they may face if an incident occurs involving mishandling of PHI.
QUESTIONS:
What if we didn't know that we were violating HIPAA?
Your organization can still be in violation of HIPAA and may be subject to civil or criminal penalties
What if our organization has downloaded policies and procedures from a professional site on file?
If your organization has not taken specific actions and documented them as required by HIPAA, simply having boilerplate documents without addressing compliance may actually expose you to more risk.
How can we be sued by for violating HIPAA?
The Federal government can fine your organization; and as few as two people can file a class action lawsuit.
Is HIPAA being enforced?
Yes. Over 200 criminal cases have been referred to the Department of Justice and there have been many terminations of employees for violations of HIPAA and civil litigation involving HIPAA.
Does HIPAA affect anything besides insurance or group health benefits?
HIPAA can affect the entire organization beyond areas covered by Benefits, HR, FERPA in schools and HIPAA impacts more than Group Health Plans in many organizations.