Clinical Lab Pays $25,000 HIPAA Settlement- How Did Noncompliance Occur?

Clinical Lab Pays $25,000 HIPAA Settlement- How Did Noncompliance Occur?

Late fees and parking tickets can sometimes feel outrageously expensive like the punishment far outweighs whatever rule we broke. But even though we may feel like we get hit hard with fees, most of us have never had to pay $25,000 for a rule we broke. In May 2021, Peachstate Health Management agreed to pay $25,000 for a HIPAA settlement. Though this is a huge amount of money, it is far from the maximum fee for violations. You could get hit with as much as $1.5 billion a year if you're not careful! Without proper knowledge of the HIPAA rules, you or your business could fall victim to costly fines, a soiled reputation, and the loss of customers. Even businesses that may believe they're in full compliance may have blind spots. Don't let these blind spots cost you an arm and a leg. Read on as we discuss the meaning and importance of HIPAA compliance and what could happen without proper training and implementation.

HIPAA Rules Overview

You've probably heard of HIPAA before. But do you know what it is? Do you know what the letters stand for? And, be honest, did you know it was "HIPAA" instead of "HIPPA"? We'll take a look at what HIPAA is, why it's important, and how not following the rules justifies such a hefty price to pay. The Health Insurance Portability and Accountability Act, or HIPAA, is a set of rules that are set in place to protect the Protected Health Information (PHI) of individuals. It can be broken down into five main rules. These five rules are:

The Privacy Rule

The Privacy Rule regulates the use of PHI and medical records without an individual's authorization. Individuals also have the right to know how their information is shared. This gives more control over personal information to that person, protecting privacy. Can you imagine if just anyone could call and receive your personal health information? That information is of a very sensitive nature and must be treated with the care it deserves.

The Transactions and Identifiers Rules

The Transactions Rule and Identifiers Rule dictate that specific codes must be used for healthcare providers when transferring an individual's PHI. This ensures the security of private information, knowing that the correct information is going to the correct people.

The Security Rule

The Security Rule mandates that organizations have:

  • Members tasked with HIPAA compliance within the organization
  • Safeguards in place for the access of personal data within an organization's system
  • A protected system, including the data itself or any physical equipment

Prevention is the best protection. The safeguards that the security rule requires will allow you to avoid some of the biggest pitfalls in HIPAA compliance.

The Enforcement Rule

The enforcement rule allows the rules to be enforced through active reporting of HIPAA compliance and security measures. It also requires that these measures are shared in business contracts. The potential fees for non-compliance were also raised. This is just a very general overview of some of the HIPAA rules. The deeper you go into the regulations, the more specific and more numerous the rules become. Hence, proper training is a must!

The Cost of Violation

It may seem like a lot for a health provider to be compliant with all of these rules. And it is. But it's important for both your customers and your business. Non-compliance can cost you customers, money, and your reputation. Let's take a look at what happened to the Peachstate Health Management clinical lab.

Peachstate Audit

The Department of Health and Human Services' Office for Civil Rights (OCR) recently performed an audit of Peachstate Health Management, LLC, dba AEON Clinical Laboratories. Several potential violations were found and investigated under the Security Rule category. In the audit, the OCR found that Peachstate did not have the proper equipment, systems, and processes in place to satisfy the guidelines. The problem seemed to arise from a 2016 merger between Peachstate and Authentidate Holding Corporation (AHC). OCR and Peachstate have settled the case. The settlement includes a $25,000 penalty and a mandate that Peachstate will immediately begin working towards total compliance, addressing all areas that the audit found lacking.

Fines

Fines can range even higher for violations found in multiple categories or found to be deliberate. There are four tiers of fees for HIPAA regulations. The current legislation states the maximum for all four tiers as $1.5 million per year, but upcoming changes have proposed new minimums. Tier 1 If within their due diligence, a business is found to have unknowingly violated HIPAA regulations, it falls under Tier 1. The resulting fees can range from $100-$50,000 per violation, with a maximum of $25,000 per year. Tier 2 If a company unknowingly violates HIPAA regulations but has not done reasonable due diligence, the penalty falls under Tier 2. The resulting fees can range from $1,000-$50,000 per violation, with a maximum of $100,000 per year. Tier 3 If a company willfully neglects HIPAA compliance but corrects it within 30 days, the penalty falls under Tier 3. The resulting fees can range from $10,000-$50,000 per violation, with a maximum of $250,000 per year. Tier 4 If a company willfully neglects HIPAA compliance and does not correct it within 30 days, the penalty falls under Tier 4. The resulting fees are $50,000 per violation, with a maximum of $1.5 million per year.

The Importance of Compliance

Robinsue Frohboese, Acting OCR Director, said about the case, "The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients' electronic health information." Proper HIPAA training is the key to safety against such malicious activity and risks to patients.

What is HIPAA Training?

HIPAA training will give you the education and resources you need to understand and implement HIPAA guidelines in your workplace. There is a wide range of courses, programs, and packages available to fit your HIPAA needs. Because we know how important HIPAA training and compliance is, we offer IACET accredited fully online courses, so you can access them from anywhere, anytime you need. At the end of these courses, you will be HIPAA certified. What is HIPAA certification? While there is no standardized certification for HIPAA, certification through our program prepares your business and employees for full HIPAA compliance.

Who Needs HIPAA Training?

Anyone who works in a business that handles PHI needs some degree of HIPAA training. Different roles may require different amounts of training, based on their risk assessment and what kind of contact they have with the PHI. Training should be specific to the employee's role to ensure full compliance within each role in the business. HIPAA training must be reinforced periodically. The exact amount of time is not specified in the HIPAA guidelines, but at least annually seems to be commonly accepted. This regular training should include basics such as:

  • PHI: What it is and when it can be disclosed
  • Understanding the purpose of HIPAA legislation
  • Information about updates to legislation
  • Key elements of the different categories and rules
  • Job-specific and company-specific policies and procedures
  • Preventative measures

Training should occur when an employee is hired, then regularly thereafter. All training should be documented to prepare for potential audits.

The Future of HIPAA

You've seen how important it is to learn about HIPAA laws, where it's required, and how they keep patients safe. But you can't stop there. New HIPAA changes were proposed in December 2020. The main changes proposed are to the Privacy Rule. The upcoming changes aim to simplify and hasten patients' access to their PHI. Some of these changes include, but are not limited to:

  • Reducing wait time for access to PHI (within 15 days instead of 30 days)
  • Allowing more access to records online
  • Updated definitions and phrases to allow for the release of PHI in an emergency
  • Estimated fees are required to be disclosed on the business' website
  • Greater access to PHI for family, caretakers, and coordinating healthcare providers

Other recent updates include an update on Cybersecurity and data breaches, COVID-19 specific adjustments, the expansion of telehealth, and allowing Federal public health authorities greater access to PHI.

Keep Up with HIPAA

Just like any other industry standard, it's essential to keep up with the latest rules and regulations. Rules change. New equipment is invented. New processes are created. Regular training and certification will allow you to spot any issues before they become a problem, keep up with changes, maintain compliance, and avoid large violation fees. Don't get left behind or blindsided. It may seem overwhelming to keep track of changes, to train every employee in their individual role, and to maintain regular training. But it doesn't have to be hard. Let us help you stay on top of all things HIPAA. Whether you're an individual working in healthcare or an employer who needs help keeping up with HIPAA guidelines and procedures, we have IACET accredited training courses to fit your needs.