HIPAA violations can be financially crippling for organizations, as penalties can be as little as $100 or as much as $50,000 per violation. One of the most alarming aspects of HIPAA breaches is that one instance within your organization can result in hundreds, or even thousands of HIPAA violations. All covered entities must report any and all violations not only to HIPAA, but also to the individuals affected by the data breach.
In 2015, there are a few ways covered entities can avoid HIPAA penalties if the act was not of “willful neglect” and the violations are corrected within a period of 30 days. Here are a few tips on how this can be accomplished:
- Update your security risk assessment as required by HIPAA.
Use the HHS risk assessment tool to conduct and document your risk analysis to identify and prevent potential security and data breaches.
- Implement the technical, administrative and physical safeguards required under the HIPAA security rule.
Although most organizations have policies in place that are required by the security role, there are many deficiencies that have been found in implementing the safeguards required by HIPAA. Making sure these safeguards are followed will help in compliance, but will also assist in fighting system failures or online crimes. Using the tools provided by the HHS is an effective way to achieve this compliance.
- Make sure all business associate agreements (BAAs) are in place.
HIPAA requires that all covered entities have business associate agreements in place, but these agreements also help protect the practices from liability if the business associate violates the HIPAA law. All business associate agreements must specifically outline that the associate is an independent contractor and not an agent of the organization.
- Implement and enforce training
Covered entities can avoid penalties by HIPAA when they have implemented rigorous training policies. Even when there is an employee that has violated the law, if the covered entity can show where the employee was adequately trained and was aware of the policies, they may be able to avoid fines. The organization must ensure that the training is thorough and effective.
- Immediately respond to breaches
This is very critical to covered entities. As a requirement of the law, all covered entities and business associates must immediately investigate any complaints of privacy and mitigate any breaches. Once an agent or employee has been found in violation, the appropriate sanctions must be applied. Data may avoid being compromised if the entity works quickly enough to avoid self-reporting to the HHS. If the entity or business associate did not act with willful neglect and corrects the violation within a period of 30 days with corrective action, they may avoid receiving a penalty.
- Report all breaches in a timely fashion
Failing to report a breach in a timely manner under the rules of HIPAA may lead to a determination of willful neglect. The unauthorized access, use or disclosure of unsecured PHI is reportable to HHS and the affected individual under HIPAA unless there is a low probability of the data being compromised. This can be based on factors like the type of PHI, recipient of the PHI, whether or not the PHI was disclosed or accessed and what was done to stop the breach.
- Have accurate documentation
All actions must be documented to help defend any potential breaches and HIPAA violations. All documentation from covered entities and business associates must maintain documentation for a period of six years as required by HIPAA.
These are crucial steps in ensuring your organzation and business associates have a way to avoid HIPAA violations. With due diligence and work, you can protect your organization for a positive outcome.