Since 2003, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been charged with enforcing the privacy and security rules for electronic health records, such as electronic consent forms. The true scope of fines and penalties for HIPAA violations often goes unnoticed. As technology becomes an integral part of healthcare, practices need to consider how a breach could result in fines and penalties.
HIPAA and the Digital Age
Most healthcare providers understand the significance of seemingly minor PHI infractions, such as disclosing a minor, electronic patient form to another party without the knowledge of the infraction. However, the fines per infraction range as follows:
- Mistakenly or unknowingly causing an infraction - $100-$50,000.
- An infraction with a “reasonable cause” and no indication of willful neglect of PHI - $1,000-$50,000.
- Willful neglect and corrected in the allotted time - $10,000-$50,000.
- Willful neglect and not corrected - $50,000 or more per violation.
Each scenario also incurs a maximum fine of $1.5 million for multiple infractions in one year and the potential of incarceration. However, these infractions appear trivial when compared to the potential implications of digital health records, such as electronic patient forms, which are far more susceptible to a breach.
PHI in Common Practice Devices
A photocopier carries a digital record of scanned information until the record’s replaced by new data or wiped from storage. Essentially, a broken photocopier may still contain electronic intake forms and other PHI without the practitioner’s or practice staff’s knowledge. As a result, HHS imposed several steps to ensure practices comply with digital storage and removal guidelines in the 2003 Security Rule.
All healthcare providers and practices are required to implement a means of ensuring the security and identifying the vulnerability of protected health information on electronic devices as required by the Security Rule, explains the HHS.
Case in Point: $1.2M Assessment on Affinity Health
In a 2010 breach report, Affinity was caught in failing to take these actions, and 344,579 people faced the uncertainty of compromised health records through electronic consent forms. In 2013, HHS settled with Affinity over the breach to the tune of $1,215,780 in penalties, far more than mitigating and preventing the breach would have cost, reports Healthcare IT News.
It seems unrealistic to think that one machine can cost a practice more than $1 million, but it happened recently. For practice owners, managers, and staff, the implications and need to identify digital threats to PHI will only grow.
Can your practice afford to lose $1 million on a printer or copier?