By Jay Hodes, President - Colington Consulting - HIPAA Compliance Experts
Maybe the question should be, “Can your organization afford not to be compliant?” Just in the last two months of 2015, three HIPAA settlements were announced that totaled over $5 million in payments to the government. Leading the list was Triple-S Management Corporation’s $3.5 million settlement for widespread non-compliance issues discovered during an investigation after a breach notification.
Avoiding fines and penalties does not need to be a costly proposition. But it does take time and commitment from those tasked with managing a HIPAA compliance program. For larger organizations like hospital systems that have compliance staff, most likely there is already going to be a structured program in place that includes routine security awareness training. This can make the process somewhat easier as they work to maintain HIPAA compliance requirements.
But what about for those small to mid-size organizations that may not have adequate resources in place? Start with this thought to help establish the mindset for meeting compliance requirements. In guidance published by the Office for Civil Rights (OCR), the watchdog agency within the U.S. Department of Health and Human Services tasked with HIPAA enforcement, two areas are made perfectly clear: you cannot use the size of an organization or the cost needed to be compliant as an excuse for not following all the HIPAA regulations.
This is the reality. It’s like paying taxes. Not fun, can be time consuming, and in some cases you need to pay a lot. But it is the law, and we all do our best to file taxes on time and hope for a refund.
Well, with HIPAA, do not expect any refunds from the government for following the law. The best you can hope for is not to be audited or have a breach. Unlike the IRS, if your organization does have a breach affecting 500 or more individuals, one of the HIPAA requirements is to send out a press release – which means it is no longer a private matter like an IRS audit.
So where to start? You need to determine what is reasonable and appropriate for your organization, which is perhaps easier said than done. OCR has a free Security Risk Assessment tool available through their website. I will caution, if you go this route, it will be a time consuming process, but once fully completed, it will meet the risk assessment requirement.
Sorry, but no short cuts here. A three or four page risk checklist is not sufficient. Remember, the overall risk assessment is the basis to determine if your organization needs to encrypt the data you maintain. If time to conduct the assessment, formulate policies and procedures and train your workforce is problematic, which it is for many small providers, then consider outsourcing this support.
Companies like mine offer fully supported solutions to meet HIPAA compliance requirements. In most cases, the only time commitment from an organization is input for the risk assessment. This is how you can afford to be HIPAA compliant.