Think your practice is too small to escape scrutiny and sanctions for HIPAA violations? Better think again.
In April, the HHS Office for Civil Rights (OCR) levied a fine in the amount of $100,000 against a five physician cardiac surgery group located in Phoenix for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Evidently, the surgical practice used a web based appointment system and the names of patients were being posted online for all the world to see.
In addition to the fine, the group was required to implement policies and procedures to ensure that patients’ protected health information is adequately safeguarded.
In announcing the fine, HHS OCR struck an aggressive posture. “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a (medical practice).”
So, if you don’t have HIPAA policies in place, do it soon. The feds won’t be very sympathetic to an argument that your practice is too small to comply with HIPAA.