table, th, td {
border: 1px solid black;
padding: 5px;
}
The HiTech Act (part of the Affordable Care Act) requires periodic audits of covered entities and business associates for compliance with HIPAA privacy, security and breach notification rules. These audits will be performed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). We expect to see an audit protocol proposal before the audits begin, but you should not wait to see what the OCR will audit, but ensure your office is in compliance now.
Compliance with HIPPA rules is required under federal law, and violation of these rules is enforceable by corrective measures or by potential fines, as noted in the following chart:
HIPAA violations and enforcement
HIPAA violation |
Minimum penalty |
Maximum penalty |
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA |
$100 per violation, with an annual maximum of $25,000 for repeat violations (NOTE: maximum that can be imposed by State Attorneys General regardless of the type of violation). |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA violation due to reasonable case and not due to willful neglect |
$1,000 per violation, with an annual maximum of $100,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA violation due to willful neglect but violation is corrected within the required time period |
$10,000 per violation, with an annual maximum of $250,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA violation is due to willful neglect and is not corrected |
$50,000 per violation, with an annual maximum of $1.5 million |
$50,000 per violation, with an annual maximum of $1.5 million |
The most common issues investigated by the OCR are:
- Impermissible uses and disclosure of Protected Health Information (PHI).
- Lack of safeguards of PHI including failure of security controls to protect against unauthorized access.
- Lack of patient access to their own PHI.
- Lack of administrative safeguards of ePHI.
- Use or disclosure of more than minimal PHI.
Action is taken against private practices so you should make sure patient data is protected. Check out recent HIPAA violations to give you some idea of the kinds of practices you need in place to prevent these sort of violations from occurring in your practice:
- A laptop was stolen from Leahy Hospital and Medical Center in Boston from an unlocked treatment room during overnight hours. This laptop contained PHI of 599 individuals. The subsequent OCR investigation demonstrated widespread noncompliance with HIPAA rules, and they were fined $850,000.
- A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. The employee left a message with the information at the patient’s home despite previous instructions to leave the information only at her work number.
- A complaint alleged that an HMO impermissibly disclosed a patient’s PHI when it sent her entire medical record to a disability insurance company without her authorization.
- A patient alleged that his private practitioner failed to provide him access to his medical records and, after he filed an OCR complaint, they released the patient’s medical record and billed him $100, which exceeds the privacy rule limits which allow only a reasonable cost fee for copying and mailing this information.
There are many more similar reports. We hope this will give you some idea of the kind of problems you could have if you aren’t careful, and a heads-up that any violations could lead to large fines.