HIPAA Compliance Preparedness
When it comes to laying the groundwork for HIPAA compliance, how do you rate? What if you wait for an audit or breach? We look at two scenarios.
If you manage an independent medical practice, you may wonder if the time and money costs of compliance truly outweigh the costs of a failed audit or a breach. To give you a sense of scale, we created two scenarios: a practice that creates and follows its HIPAA policies (and conducts periodic risk assessments) and a practice that doesn’t lay the proper groundwork.
The Costs of HIPAA Compliance
In our hypothetical example, Dr. Cory Compliant owns a practice that is a covered entity. He hires a healthcare attorney to create the government-mandated HIPAA policy. He also brings in HIPAA-savvy contractors to set up his IT and EMR.
Was the money well spent? When the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) commands a HIPAA audit, Dr. Compliant doesn’t bat an eye. He produces his existing HIPAA policy, risk assessments, and compliance logs. His readiness reduces the audit’s disruption to his operations. Readiness also reduces his stress, as he has nothing to hide. He decides to hire an attorney to counsel him through the process, but because his documentation is in such good order, the attorney fees are modest.
If Dr. Compliant has followed his policies to the letter, the OCR is unlikely to find violations or impose fines. But even if Dr. Compliant isn’t perfect, his good-faith efforts to stay compliant mean that his violations will probably fall on the mild side of the spectrum and require modest corrective actions. Thus, his fines will stay low.
And what about a privacy or security breach? The penalties for a breach are determined, in part, by the degree of negligence involved. Dr. Compliant’s documentation helps him demonstrate that a breach occurred despite his diligence. As a result, OCR may not impose fines if he corrects the violation quickly.
Someday, when the doctor decides to sell his practice, his track record of regulatory compliance will factor into the buyer’s assessment. The sale price will likely reflect his stellar reputation and operational strength.
The Costs of HIPAA Non-compliance
Dr. Louis Lawbreaker, despite his name, didn’t always intend to be non-compliant. When he first launched his practice, things were too hectic for him to attend to all of his regulatory requirements. Later, as his practice became more established, the doctor thought he had covered his bases. His EMR platform was HIPAA-compliant. His staff understood the importance of guarding protected health information (PHI). Every patient had signed a Notice of Privacy Practices document. In his view, he saved time and money by avoiding the “extra” legal fees required to establish a formal HIPAA plan.
When the audit letter arrives from OCR, Dr. Lawbreaker immediately regrets his lack of preparation. He cannot furnish a copy of his policies and procedures manual (an automatic violation) and has none of the other requested documentation. The scope of the audit broadens quickly, and he hires an attorney to coordinate the process. It’s a stressful time at the practice and his legal fees far exceed what he would have paid if he had been compliant and audit-ready.
Dr. Lawbreaker will need to pay penalties for each violation, starting with the lack of a written HIPAA policy. And without a set of policies to guide the practice, OCR will likely find many more violations. Furthermore, OCR’s corrective action plan requires Dr. Lawbreaker to become fully compliant, with frequent government checks on his progress. He could find himself facing additional penalties and implementation costs.
In a similar vein, if Dr. Lawbreaker comes under scrutiny because of a breach, OCR will likely determine that the practice failed to exercise due diligence, and penalties will apply.
Keep in mind that if OCR finds HIPAA violations, the process can take years to resolve. The practice cannot avoid paying fines by declaring bankruptcy, and Dr. Lawbreaker may face difficulty selling the practice. In our example, his poor decision will cost him up to five times more in dollars than initial compliance. Moreover, ongoing government scrutiny will create a burden that undermines employee morale and diverts time and energy from patient care.
Lawbreaker’s Scenario: Is It Realistic?
Most healthcare professionals want to achieve full HIPAA compliance and do so as soon as they have the time and resources. Some may take half-measures and hope for the best. Surprisingly, some practice owners decide to roll the dice, believing (mistakenly) that small size will allow them to escape scrutiny.
In addition to random audits, you’ll also need to watch out for complaints. By law, HHS must review every complaint, including those from patients, competitors, or disgruntled employees. An investigation could bring other violations to light, starting with the lack of a written HIPAA policy manual.
It’s also important to acknowledge that even with strong, customized policies in place, you can’t always prevent breaches. You’ll always be somewhat susceptible to hackers, thieves, and staff who don’t follow protocols. Without written policies, periodic risk assessments, and proper training on the policies, the odds of a breach only rise.
The outlay to bring a practice into compliance after an audit or breach will vary by many factors. These factors include the number and severity of violations, as well as the rates for the professional fees. Despite these variations, one thing holds true: waiting until you are caught can be a very costly strategy, even if you own a small practice.
If you’re ready to bring your medical practice into compliance, speak to one of our experienced HIPAA attorneys. We offer consultations to allow you to get to know us and find out if our customized HIPAA plans fit your needs.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.