Is Mr. HIPAA Auditor really out there enforcing compliance? The fact is, he may be closer than you think. With the sweeping changes regarding HIPAA Omnibus Rule, tolerance for non-compliance is next to zero. If you have not completed your training to Omnibus Rule Standard, you may be in the dark, but ignorance in this case is NOT bliss! There are numerous forms, extensive protocols that were due in place in your dental office by September 23, 2013. There is no grace period, and there is no “I’ll get to later” attitude tolerated. This is a pressing issue and should be a priority- NOW! The key to a smooth transition into HIPAA Omnibus Rule compliance is a comprehensive, economical, and easily implemented HIPAA Omnibus Rule Training Program. Seeking this training from a reputable, knowledgeable company is a must.
Still not convinced this should be priority one in your dental office? Not sure if compliance to HIPAA Omnibus Rule is actually enforced? Allow us to present to you some recent actions as a result of non-compliance according to HHS.gov:
1. “The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first settlement involving a breach of unsecured electronic protected health information (ePHI) affecting fewer than 500 individuals.”
2. “Alaska Department of Health and Human Services (DHHS) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information. OCR’s investigation followed a breach report submitted by Alaska DHHS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ePHI. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.”
3. “Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic.”
If you think your practice is under the radar, think again! HIPAA audits can be kicked-off by disgruntled employees, HIPAA-savvy patients, or perhaps another healthcare provider who may make a complaint. The government is obligated to investigate every complaint, even if suspected untrue.
HIPAA Omnibus Rule is not going to go away, a HIPAA compliance company that will guide you through the twists and turns of compliance will be your greatest asset to protect your practice. Look for a compliance training company that will be your advocate in this cumbersome process. A company that will make compliance easy and stands by you when you need them to. Don’t leave yourself open and ripe for the picking!
Written by Jill Obrochta and Heather Whitt of Dental Enhancements