Don’t Care About HIPAA? That’s a Million Dollar Mistake

Don't Care About HIPAA? You ShouldWhen the HIPAA Privacy Rule went into effect in 2003, it functioned, in part, as a major scare tactic for medical practice administrators across the country.

As a flurry of “privacy rights” paperwork was distributed to patients, clinical and clerical staffers were warned to watch what they said about patients – and who they said it to. Managers and doctors tightened up their handling of medical records to make sure they were in compliance with the policies.

I was working in a medical office at the time, and I remember how markedly tense employees were about the new regulations. Hushed jokes about “the HIPAA Police coming to get us” if we breached patient confidentiality were frequently made, belying the overall sense of fear pulsing through the practice.

In truth, not much about the practical day-to-day business of that medical practice – or any other in the U.S. – changed all that much with the Privacy Rule, but the idea that a patient’s right to privacy was now federally protected caused a wealth of concern about the issue.

The same anxiety was instilled regarding health data protection when the HIPAA Security Rule was enacted in 2005. But now it’s 2012. Are you still as scared of HIPAA as you were back then?

One health IT commentator, Glenn S. Phillips, recently wrote about how his colleague, a data protection professional, told him that “Nobody Cares About HIPAA.”

“I knew his comment was not literal and was for effect,” Phillips wrote. “But generally speaking, he has a strong point. In the greater scheme of many businesses, HIPAA (and other regulations) are commonly seen by management and staff as an annoyance and another meaningless expense.”

Sometimes there’s reason to wonder why anyone should care about HIPAA. The Centers for Medicare and Medicaid Services (CMS) won’t enforce compliance with its updated HIPAA 5010 requirements until July 1, even though all healthcare organizations should have converted to the new electronic standard by the first of this year.

July 1 is 90 days after the April 1 enforcement date the CMS had decided on late last year… which is 90 days later than the original planned 5010 enforcement date of January 1.

So are the “HIPAA Police” taking a breather, waiting until summer to mount up and enforce all of your violations? Not quite.

Since 5010 is just a new transaction standard, it’s a wholly different issue than HIPAA-regulated privacy and security. When it comes to those concerns, you’re still very much accountable.

In fact, you’re far more accountable for ensuring proper privacy and security now than you were back in 2003 (when HIPAA held such an intimidating sway over operations).

Since the American Recovery and Reinvestment Act (ARRA) and the HITECH mandates were enacted in 2009, healthcare providers have been required to report any privacy or security breaches to the U.S. Department of Health and Human Services (HHS), and, if breaches affect 500 or more people, the news media. Affected patients must also be notified, and all incidents are made public on HHS’ breach notification website.

The HITECH Act also created a formal penalty structure for those HIPAA violations. Until recently, no establishment had received pecuniary damage for allowing a security breach to impact patient privacy, but on March 13, news broke that Blue Cross and Blue Shield of Tennessee will be paying federal regulators $1.5 million in enforcement of the HITECH Act breach notification rule.

$1.5 million is the maximum fine allowable under the tiered ARRA penalty system, but it’s a drop in the bucket compared to the reported $17 million BCBS spent on investigation, notification and mitigation steps resulting from the breach.

So, sure, the ARRA self-reporting requirement means that you are your own HIPAA Police. But with that much money on the line when it comes to violations, you can’t afford to consider the cost of HIPAA efforts “a meaningless expense.”

And it’s not just about paying up once to “get compliant.” Meeting government regulations and patient expectations requires that you consistently invest in staff training, security testing and up-to-date technology.

Leon Rodriguez, director of the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), said earlier this week that the government will be increasing and intensifying its enforcement of HIPAA in coming months. So it’s important to not only care about HIPAA, but to take the consequences of potential violations extremely seriously.

Since a possible $18.5 million in costs and penalties could be imposed for noncompliance, you should still be afraid – very afraid – of HIPAA.

How do you ensure HIPAA compliance in your practice? Let us know in the comments!