I recently received a frantic call from a long-standing client, who shall remain nameless, whose computer was hacked. She was concerned about a possible HIPAA breach. The clinic kept protected health information (PHI) on an unsecured computer that was compromised.
What caused the HIPAA violation?
A staff member had received an email from a sender she didn’t recognize. She then clicked on a link that she shouldn’t have clicked. Immediately she started seeing ominous screens flashing, declaring that the computer had a malicious virus and to call a particular toll free number for tech support.
The staff member naively called the number and gave them access to her computer over the internet. She later realized this was the very party who had sent her the email she shouldn’t have opened. These phishing expeditions are so common now that you’ve probably experienced it or at least have heard a similar story before.
Knowing that I would be well-versed in HIPAA as the owner of a medical billing company, the clinic owner called me looking for advice. She knew enough to recognize that they had considerable exposure but didn’t know enough to have adequate safeguards in place.
Small clinics can still get big fines, even when they’re not at fault.
More than once during this conversation she said to me “we’re just a small clinic in a small town and we don’t know about these things.” That description applies to many of my clients and really got my attention. The federal government when assessing fines for HIPAA violations doesn’t discriminate based on size or locale.
Who can get fined? Not just clinics.
The body of laws commonly known as HIPAA applies to anyone and everyone who works in healthcare of handles PHI in any way. It even applies to employers who work outside of healthcare but who provide health insurance to their employees and thus maintains records of their employees’ enrollment in health insurance.
A quick Google search and you’ll find numerous cases of healthcare providers and organizations, no larger than this client of mine, who experienced similar breaches and were fined tens of thousands of dollars. A common pattern is that organizations who pled ignorance and failed to implement some of the most basic tenets of HIPAA received considerable more severe fines simply because they failed to educate themselves and to implement the minimum required policies and procedures.
Common Accidental HIPPA Violations
For example, do you email patients’ names or other PHI in unsecured/unencrypted emails? If so, that’s a HIPAA violation. Do you maintain protected health information on unencrypted computers or electronic media such as thumb drives? That’s a HIPAA violation. Do you perform routine risk assessments to identify how an inadvertent HIPAA breach might occur, if it were to occur, and then implement corrective actions to avoid such breaches? If not, that’s a HIPAA violation. Do you and your staff participate in ongoing HIPAA training? If not, that’s a HIPAA violation. Do you destroy the hard drives when you retire an aged computer or trade-in your old photocopier? If not, that’s a HIPAA violation.
Reputation Damage: Could be even worse than the HIPAA Fine
In addition to steep financial penalties, the damage to your reputation following a HIPAA breach can be just as severe. Did you know that if you have a breach that affects as few as 500 patients that you have to alert the media? That might sound like a lot of patients but if you keep any patient information on a computer or storage device, you probably keep a lot of patient information on that computer or storage device. 500 patients is less than one month’s worth of patients for many healthcare providers.
Isn’t encryption expensive?
Many of the HIPAA breaches you’ll find in that Google search involve stolen computers or thump drives that weren’t encrypted but yet contained PHI. For the cost of a venti Starbucks those providers could have encrypted those computers and spared themselves huge financial penalties along with significant aggravation and embarrassment.
If you’re reading this blog, HIPAA inevitably applies to you. My advice to you is not to discount it on the basis that you’re too small or too remote to worry about it or that HIPAA breaches happen to other people and not to you. Educate yourself and take the time to develop and implement appropriate policies, procedures, and safeguards. If needed, hire a professional or a qualified healthcare attorney to take you by the hand and walk you down the path.
I’d be willing to bet that you pay your taxes, stop at red lights, avoid shoplifting and comply with other established laws. As long as you work in healthcare you have no choice but to take HIPAA seriously; the federal government certainly is.
David Allen, MBA