Can your business afford a major HIPAA violation? Few can. HIPAA violations and enforcement are the purview of the Department of Health and Human Services’ Office for Civil Rights. OCR has imposed more than $116 million in fines due to HIPAA violations, as of spring 2020. Individual fines can be in the six or seven figures.
While the COVID pandemic continues, a lot of businesses are scrambling to keep going. New policies are being made and then revised. Workforces are being downsized, with remaining employees stretched thin as they try to cover new tasks. A lot of things may slip through the cracks right now, but you can’t afford to let HIPAA compliance be one of them.
HIPAA Violations and Enforcement
Any business that’s a covered entity under HIPAA must comply with the law’s requirements around safeguarding protected health information (PHI). PHI must be protected in all forms, including digital information. Any organization that has access to PHI, including non-medical business associates that do things like process or transcribe claims for medical providers, is required to comply with HIPAA.
There are any number of ways for a business to commit a HIPAA violation, even inadvertently. Losing a digital device that contains PHI or letting PHI be accessible to the public, like by leaving sensitive files open on a desk while visitors are in the office, are examples of potential violations. Because HIPAA requires covered entities to safeguard PHI even while it’s being disposed of, improperly destroying files or devices that contain patient information is also a violation.
Note that no one has to actually steal any PHI to cause a violation. Any action on the part of the covered entity that could potentially expose PHI can be punished by OCR. It’s also important to note that HIPAA violations are actionable even after the business in question has closed.
OCR encourages people to anonymously report HIPAA violations through its website. When a violation is reported, OCR investigates and may request information from the covered entity in question. After reviewing the evidence, OCR may allow the covered entity to correct its actions. Fines are generally imposed when a covered entity doesn’t make the changes that OCR deems necessary. So even though a HIPAA violation may not result in a fine, the process can be a long and nerve-racking one that requires your participation as a business owner.
HIPAA and COVID
As we all know, the pandemic complicated a lot of elements of the American healthcare system. While healthcare workers scrambled to safely treat affected patients, OCR announced that it would temporarily exercise discretion around HIPAA violation enforcement in a few specific areas. Basically, OCR said that certain actions that would normally result in violations aren’t going to be punished right now.
This does not mean that HIPAA itself is temporarily lifted, or that a covered entity’s obligations have changed under HIPAA. The relaxed restrictions specifically do things like make it easier for patients to use telehealth services and allow medical providers to share data with health departments tracking the pandemic. There are no changes to the requirements around how covered entities protect and dispose of PHI.
What Business Owners Need to Know
HIPAA violations and enforcement is something that business owners have to have at top of mind right now. As far as OCR is concerned, it’s still your obligation to safeguard all PHI that your business handles. It’s dangerous to be lax about that data no matter what’s going on with your business.
Now’s the time to review your policies about PHI to make sure that all employees understand their responsibilities, especially if employees are now working remotely or covering new tasks. These changes in normal routine can lead to errors. Proper data destruction continues to be critically important. Both paper files and any digital devices that are used to access PHI must be thoroughly shredded at the end of their life in order to completely destroy them and complete your obligation.
If your business is a covered entity under HIPAA and ends up having to close because of COVID, remember that improperly disposing of PHI can create legal trouble even after you’ve closed your doors. OCR may continue to investigate and fine a business owner for past HIPAA violations even after that owner has moved on to their next venture.
Northeast Data Destruction continues to operate safely during the pandemic. Shredding all your sensitive data is best practice for avoiding HIPAA violations and enforcement. We’ll pick up your files and devices, or arrange drop-off at our NAID AAA-certified facility—whatever works best for you works for us too. Reach out to Northeast Data Destruction with questions!