{"id":97,"date":"2014-09-26T22:49:55","date_gmt":"2014-09-26T22:49:55","guid":{"rendered":"http:\/\/www.smsitgroup.com\/?page_id=97"},"modified":"2014-10-01T00:44:51","modified_gmt":"2014-10-01T00:44:51","slug":"businessownersguidetohipaa","status":"publish","type":"page","link":"https:\/\/smsitgroup.com\/businessownersguidetohipaa\/","title":{"rendered":"The Business Owner’s Guide to HIPAA"},"content":{"rendered":"

\u00a0\"small<\/a><\/h1>\n

SMS IT Group<\/p>\n

www.smsitgroup.com<\/a><\/p>\n

213.222.5182<\/p>\n

Written by Scott G. McCarthy<\/p>\n

sgm@smsitgroup.com<\/a><\/p>\n

Business Owner\u2019s Guide to HIPAA<\/p>\n

Revision 2, September 2014<\/em><\/p>\n

 <\/p>\n

 <\/p>\n

CLICK HERE FOR PDF VERSION (CLEANER COPY)<\/a><\/h1>\n

<\/h1>\n

 <\/p>\n

Business Owner\u2019s Guide to HIPAA<\/h1>\n

Everything You Need to Know About HIPAA Compliance<\/h3>\n

About the author: Scott G. McCarthy is the Director of SMS IT Group in Los Angeles, CA. Mr. McCarthy has been performing PCI and HIPAA audits for well over 9 years. He has a 100{ce92d213718bf382776617a85d6b0fddfd46b8b53e7ce8d6080f3edcd619f511} pass rate and has never failed an audit to date. Mr. McCarthy has worked with everyone from small doctors\u2019 offices, Fortune 500 Corporations, and law firms. He has successfully passed PCI audits for both law firms and corporations and some of the world\u2019s largest banks. Mr. McCarthy can be reached at <\/em>sgm@smsitgroup.com<\/em><\/a> or at the SMS IT Group at 213-222-5182. <\/em><\/p>\n

Why Is HIPAA Such A Big Deal? Why Should I Care?<\/strong><\/h3>\n

For those in the medical field, HIPAA remains one of the most confusing and unclear requirements that exist. If you are a larger practice or firm, chances are you have someone in house who is a HIPAA expert or knows enough to get you through filling out the form. For the rest of you, don\u2019t make a best effort guess at answering the HIPAA form and drop it in the mail because the consequences can be painful. Even if you never received or had to fill out the HIPAA form, if you store or send electronic patient records, you are required to have a HIPAA plan and follow it!<\/p>\n

The best analogy I can use to explain HIPAA is your taxes. Every year, you are required to fill out tax forms whether it be electronically or via paper and submit or mail them in. The government gives you the leniency to fill in your answers as you see fit and works on somewhat of an honors system for the most part. In the event an IRS auditor comes knocking, you better have answered correctly and honestly.<\/p>\n

The same principles apply to HIPAA. For the most part, anyone who falls under HIPAA will be required to fill out a form and drop it in the mail back to the government. What most people don\u2019t realize is what happens if you get flagged for a HIPAA audit. Just like the IRS, the government audits HIPAA forms and your answers you put on the form. The key difference is that the government usually outsources audits to private companies; and that is bad news! Why you ask? Because the companies they hire are extremely efficient at auditing you and can tell very quickly if you truly comply with the answers you gave on your form. And chances are pretty good you are going to get audited at some point.<\/p>\n

Keep in mind the 1st<\/sup> thing the auditor will ask you for is your HIPAA plan for that year and if you can\u2019t produce it, you are already in hot water. And no, you cannot retroactively write your plan because the auditor is going to want proof your plan was written on the time and date it was due to be completed.<\/p>\n

I Never Worried About HIPAA Years Ago!<\/strong><\/h3>\n

You see the government is putting quite a bit of resource into ensuring businesses comply with HIPAA and they are taking it very seriously. I cannot count how many times I get a phone call at SMS IT Group with a panicked doctor on the other end of the phone telling me they have been a target of a HIPAA audit and he wasn\u2019t really paying attention when he filled out the form. And oh, by the way, if he doesn\u2019t comply, he owes $300,000 immediately due in 30 days. Then the next question I get is \u201chow do I get out of paying this penalty? I didn\u2019t realize what I was filling out! HELP!\u201d Sometimes we can get the penalty removed and sometimes they are stuck paying it. It all depends on what they filled out on that HIPAA form and threw in the mail a year ago.<\/p>\n

The bottom line is if you transmit health information in electronic form (and that includes email), you probably fall under HIPAA. This rule doesn\u2019t only apply to doctors or medical firms, it also applies to law firms and the third party companies that serve them. An excellent example of this is ABC law firm who has a thriving Healthcare Practice that represents 2 dozen doctors and exchanges files with the doctors they represent regularly. Not only is the doctor required to be HIPAA compliant, so is the law firm.<\/p>\n

You Better Care About HIPAA If You Want To Keep You Money!<\/strong><\/h3>\n

Even if you haven\u2019t received the questionnaire or been required to return a HIPAA form, if you handle and send electronic records, you have to be HIPAA compliant. It is your responsibility to know this and the government is not going to have any pity on you if you plead ignorance.<\/strong> Even worse, if you are a business that falls under HIPAA and have a records breach meaning that you lost control of your records, someone stole your records, or any event took place in which an unauthorized party gets a hold of your records \u2013 even 1 record \u2013 the fines are enormous. Take a look at my HIPAA chart below that documents the fines you are required to pay in the event of a breach:<\/p>\n\n\n\n\n\n\n\n\n\n
Civil monetary penalties<\/strong><\/td>\n<\/tr>\n
Tier<\/strong><\/td>\nPenalty<\/strong><\/td>\n<\/tr>\n<\/thead>\n
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.<\/td>\n$100-$50,000 for each violation, up to a maximum of $1.5 million<\/strong> for identical provisions during a calendar year<\/td>\n<\/tr>\n
2. The HIPAA violation had a reasonable cause and was not due to willful neglect.<\/td>\n$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year<\/td>\n<\/tr>\n
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.<\/td>\n$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year<\/td>\n<\/tr>\n
4. The HIPAA violation was due to willful neglect and was not corrected.<\/td>\n$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Yes, if you were paying attention to the chart I provided you can be fined up to $1.5 million in the same calendar year. You are thinking that I am fear mongering and blowing this whole thing out of proportion right? WRONG!<\/p>\n

A Real World Example<\/strong><\/h3>\n

Let me give you an example. Let\u2019s say you are a dentist that does everything right, has extremely happy clients and are a thriving practice. You keep you patient records in your purchased software package that is hosted by the latest wiz bang medical cloud provider. So you think, I am safe because wiz bang provider is responsible for securing my data. So let\u2019s then imagine your office administrator runs a patient report for marketing purposes and saves all your patient data into her spreadsheet program on her computer. Since she has never been HIPAA training, she emails out the list to you to review over the weekend. Well, since your Gmail password hasn\u2019t been changed in 5 years, Hacker X gets into your account and downloads the list. Hacker x logs into the underground information market and sells you patient list for a cool and quick $10,000. The next thing you know a HIPAA representative is standing in your lobby telling you that your patient records are all over the Internet. And by the way, they want to see your HIPAA compliance plan.<\/p>\n

You tell the HIPAA representative that you didn\u2019t know you needed a plan and didn\u2019t know you needed to do all this to be HIPAA compliant. Can you guess what is coming next? A huge fine! You see every patient record that is compromised; let\u2019s imagine there were 5,000 patient records on that report your office manager emailed out; is considered a violation by the HIPAA auditor on a bad day after his wife had him sleep on the couch last night.<\/p>\n

This situation is considered \u201cwillful negligence\u201d according to our fines chart so let\u2019s do the math:<\/p>\n

$50,000 x 5,000 patient records = $250,000,000 million<\/p>\n

But luckily the good folks at the HIPAA compliance department capped the fines at $1.5 million so you only need to cut a check for $1,500,000. That\u2019s a deal, right? I don\u2019t know about you but $1,500,000 is A LOT of money to me and to most people out there and not something I want to hand over to anyone anytime soon. Do you get where this is going?<\/p>\n

So You Have No Interest Paying $1,500,000<\/strong><\/h3>\n

HIPAA compliance is the responsibility of everyone, and I mean everyone, who stores and transmits electronic patient records. I cannot state this enough. Unless you still use an abacus and store everything on paper because you think the computer overlords are going to take over the planet, then you probably fall under HIPAA. And I will say it again \u2013 ignorance doesn\u2019t work!<\/p>\n

And if you still think I am fear mongering, I will give you one more example. I recently was called out to a large practice in Los Angeles after the doctor who owned the practice received one of those you better be compliant or you have to pay a massive fine letters. <\/em>The doctor checked the box that said \u201cI have a completed HIPAA plan for 2013\u201d. The problem is he didn\u2019t. He was just trying to blow through the paperwork to move on with his life. Well, in 2014, the auditors showed up and asked him for a copy of his 2013 plan. And that\u2019s when I got the call asking what he should do. The auditors also told him that if he didn\u2019t have the plan and incorrectly filed out the form, he was going to have to write a check to give back all his Medicare subsidies. Let\u2019s just say it was a lot of money. Enough to make him sweat profusely.<\/p>\n

How About a Vacation to Our Wonderful Federal Institutions? <\/strong><\/h3>\n

Not only does HIPAA have civil penalties, it also has criminal penalties just in case you thought of falsifying your forms, lying to the auditors or any other combination of illegal activities to get around HIPAA compliance. You simply don\u2019t falsify HIPAA information unless you want to take a free vacation to the United States Federal Prison System. Let\u2019s take a look at the criminal penalties involved:<\/p>\n\n\n\n\n\n\n\n
Criminal penalties<\/strong><\/td>\n<\/tr>\n
Tier<\/strong><\/td>\nPotential jail sentence<\/strong><\/td>\n<\/tr>\n
Unknowingly or with reasonable cause<\/td>\nUp to one year<\/td>\n<\/tr>\n
Under false pretenses<\/td>\nUp to five years<\/td>\n<\/tr>\n
For personal gain or malicious reasons<\/td>\nUp to ten years<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Again, HIPAA is just like the IRS. No one ever comes out looking good when they fail to pay their taxes and get audited. The same rule applies to people who simply ignore HIPAA and get caught. I know the entire concept of HIPAA compliance is fairly new but it is time to wake up and pay attention because this act can have massive consequences to your practice and your profits. Ignorance doesn\u2019t work anymore.<\/p>\n

Still Think I Am a Fear Monger? <\/strong><\/h3>\n

So you are reading all this and you still think I am full of hot air or trying to scare the living you know what out of you to earn your business because SMS IT Group obviously handles HIPAA. Well, of course we don\u2019t mind your business, however, the point of this article is to educate you and wake you up if you don\u2019t yet have a HIPAA plan in place. Just so I put the fear mongering doubt to rest in your head once and for all, let\u2019s take a look at the list of HIPAA fines taken right from the www.hhs.gov<\/a> website. I even included the links so you can read about each case in detail if you want. I want you to pay particular attention to the dates these fines took place:<\/p>\n