Small Healthcare Practices Likely to be Hit with Huge HIPAA Fines

A recent HIPAA compliance survey conducted on small healthcare organizations and billing companies has highlighted major flaws in data security, which in light of the upcoming random audits being conducted by the Office for Civil Rights could see small healthcare institutions hit particularly hard. Fines for HIPAA non-compliance are considerable and all HIPAA-covered entities can potentially be audited, even relatively small healthcare organizations.

The survey was conducted by Porter Research on behalf of The Daniel Brown Law Group and NueMD. 1,100 healthcare professionals were asked about the efforts that had been made to secure ePHI and whether they consider their organizations to be fully HIPAA-compliant. The results of the survey show that many small healthcare entities are breaching HIPAA regulations and are struggling to cope with the new rules on data security.

It is not just HIPAA that is an issue. Healthcare companies are faced with increased regulations from ICD-10 and Meaningful use and are struggling to keep their policies and procedures compliant with all current legislation. However it was the threat of the upcoming HIPAA audits which prompted NueMD to conduct the survey to determine the current state of HIPAA -compliance in the healthcare industry.
Many large healthcare organizations have now implemented the necessary controls and security measures to protect patient ePHI, yet smaller companies appear not to have been as diligent or proactive in shoring up their defenses.

The results of the survey are alarming: Two thirds of respondents were unaware of the upcoming audits and 65% of respondents said that their organization had not conducted a risk analysis. A failure to conduct a risk analysis is one of the clearest, and unfortunately most common, violations of HIPAA regulations.

Of the 35% of respondents who claimed to have performed a risk analysis, 34% believed that all security issues had been identified and dealt with and were “very confident” that all devices containing ePHI had been secured and made HIPAA compliant.

More recent changes to legislation – namely the HIPAA Omnibus Rule – extended HIPAA’s reach to include business associates, yet only 24% of respondents had revised their policies and updated their Business Associate Agreements. The provision of ongoing HIPAA training was also a problem area with 56% of office staff and non-owner healthcare providers claiming not to have received HIPAA training over the course of the previous 12 months. A failure to provide ongoing training and not revising BA agreements could also be considered violations of HIPAA regulations.

According to the managing shareholder at The Daniel Brown Law Group, Daniel Brown, “If an audit were to occur at that particular practice, one of the biggest red flags is that the staff is unaware of the HIPAA compliance plan and what their role is in it.”

When the next round of audits commence, small healthcare companies are likely to be hit hard and face substantial financial penalties unless action is taken promptly to address all non-compliance issues.

Further information on the study can be found here:

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.