What are the consequences for not following HIPAA regulations? 7 real life scenarios
We have all heard of the HIPAA privacy and security rule. We all know that patient privacy and security is important. But what if something happens? What if a patient complains? What if you lost your cell phone, laptop, or thumb drive? What if your computers were hacked? What if you found out one of your employees said something about a patient to a friend?
This happens every day, and it can and probably will happen to you. Your office will experience a HIPAA privacy and security breach.
Here is a list of seven things that can happen if your office experiences a security breach. It has happened to countless others, and it can happen to you.
1. Write a sincere letter telling your patient about it.
“I opened it up and I read this and just got furious. I don’t have words for it right now.” This is what one patient said to KomoNews.com after she received a letter notifying her that her health information had been subject to a hacker attack at UW Medicine and Haborview Medical Center. You have to send a letter to each of your patients affected by a breach. It is a requirement under the HIPAA Privacy and Security Rule.
2. Be front and center on the evening news.
Want to be on the evening news? That’s what happened to Affinity Health Plan. Affinity returned a leased photocopier to a leasing company without erasing the hard drive. CBS news bought the photocopier from the leasing company as part of an investigative report. Affinity settled with the Department of Health and Human Service for $1,215,780. Now that’s a bad day! But it is not the only example.
After stories about Walgreens and CVS throwing prescription bottles in the dumpster, WTHR Channel 13 in Indianapolis traveled to pharmacies in Miami, Denver, Boston, and Phoenix to learn that Rite Aid was also throwing prescription bottles into the dumpster. Rite Aid was subsequently fined $1 million.
3. Spend a day in court with a patient or two or 100.
With ever increasing frequency, patients are suing for damages caused by HIPAA privacy and security breaches. Take the case of Walgreens. A customer sued Walgreens after a Walgreens pharmacist disclosed information about the customer’s medication information to her husband. The pharmacist’s husband was the father of the customer’s child. Walgreens had to pay the customer $1.44 million in damages. These kinds of cases are cropping up around the nation.
It’s not just individuals. Classes of individuals have filed numerous class action suits after they have been notified of a health care security breach. When the notice comes in the mail to affected patients, they bond together and file claims against their health-care provider or the health plan that caused the breach.
4. Get investigated by the local police and be charged with false advertising by the FTC. Did you know that every time you advertise or promote your business, you’re implying that you maintain the security and privacy of patient’s information? Pursuant to an investigation of an identity theft case by the Sacramento California Police Department, it was discovered that LabMD was uploading patient billing information, including social security numbers, to an unsecure peer file-sharing network.
Subsequently, the FTC filed a claim against LabMD alleging false advertising. The FTC takes the position that every health-care provider, health plan, and clearinghouse makes an implied promise to keep health information private and secure. If policies, procedures, and safeguards are not in place to protect the security of health information, then the health plan, healt- care provider, or clearinghouse is guilty of false advertising.
5. Turn yourself into HHS and hope nothing happens.
No matter the size of the HIPAA security breach – whether it involves one person’s or nine million people’s health information – it must be reported to the Department of Health and Human Service [HHS]. If the HIPAA security breach involves 500 or more individuals, the report must be within 60 days. If the breach involves less than 500 individuals, it must be reported to HHS by the end of the calendar year.
6. Be turned into HHS by a whistleblower.
HHS makes it easy. They’ve set up an electronic complaint portal. HIPAA privacy and security complaints can now be filed online electronically. Since October 2009, HHS has received 813 complaints. The Department of the Health Services’ Office of Civil Rights [OCR] has investigated over 70%, or 593, complaints. About 280 of the complaints remain open for compliance review.
7. Open up your checkbook for the OCR.
In September of 2013 the fines for HIPAA privacy and security violations were increased. So, get out your checkbook if you’re found in violation of the HIPAA Rule. Take a look at the chart above.
The cost of a HIPAA breach can escalate based upon your HIPAA compliance and your responsiveness to potential or actual privacy and security threats. Your failure to implement a HIPAA compliance program and failure to respond to potential and actual breaches of health information can cost you.
Mary Beth Gettins is the managing attorney of Gettins Law. She is a tenured business attorney with a background in franchising and health care. Before entering the legal profession, Mary Beth worked for more than nine years in the health care industry. She focuses in HIPAA Privacy and Security Compliance solutions.