While HIPAA was enacted in 1996 significant changes occurred in recent years that place significant financial risks on dental practices, physicians offices and all Covered Entities and their Business Associates. The 2009 HITECH Act modified the data breach law and funded enforcement programs with performance incentives given to the US Department of Health and Human Services Office for Civil Rights. State attorneys general were given authority to enforce the HIPAA civil penalties. The result; more enforcement has happened over the past 3 years then the previous 7 years combined. A SurfCT Security Specialist can help.
In 2012 and 2013, unprecedented penalties are being assessed for HIPAA violations. A small medical practice paid $100,000 for using an unsecured e-mail system for sending patient information, and for using an online calendar to track patient appointments. A hospital was fined $1.5 million when a doctor’s laptop that contained unencrypted patient records was stolen. A state health department was fined $1.7 million when a hard drive was stolen, and a health plan was fined $1.2 million for leaving patient data on the hard drive of a copier it returned at the end of its lease.
While the HIPAA Security Rule is focused on protecting electronic data, over 50% of the HIPAA regulations are Administrative Safeguards—policies, procedures, and training—with a smaller percentage split between Physical and Technical Safeguards. Key tools in protecting Protected Health Information (PHI) are Security Awareness and Training, focused on making sure your staff properly handles protected information in all forms—spoken, written, and electronic.