Large healthcare providers, with correspondingly large budgets, are introducing new security measures to protect stored data, but HIPAA compliance for small businesses lags behind. Smaller healthcare providers are struggling to meet the requirements laid down in the HIPAA Privacy and Security Rules mainly due to a lack of resources and highly qualified staff. Unfortunately, regardless of the size of the company, HIPAA Rules must be followed. The penalty for non-compliance with HIPAA Rules can be severe, and for some companies, small healthcare providers in particular, it can be catastrophic.
Worse news still is the HIPAA Omnibus Rule will soon become enforceable, and not only will healthcare providers, healthcare clearinghouses and health plans need to abide by new Health Insurance Portability and Accountability Act Rules, so too will vendors and their subcontractors. Business Associates will soon be required to adopt more stringent security measures to keep Protected Health Information (PHI) private, and it is the responsibility of covered entities to ensure that this is the case. That said, Business Associates will be fined directly for HIPAA violations post Omnibus Rule.
Business Associates Involved in 21% of Data Breaches
Healthcare Business Associates (BAs) are often small companies, lacking the budgets to implement the necessary technical safeguards required under HIPAA. This is borne out by figures from the Department of Health and Human Services, showing that 21% of data breaches reported to the HHS have involved BAs.
When the Omnibus Rule becomes enforceable, the OCR will be able to issue fines to BAs directly, and they can be as high as $1.5 million, per violation category, per year that a violation has been allowed to persist. Numerous violations could see fines of several million dollars issued. More than enough to put a small company out of business.
Small BAs, such as Clearpoint Design, a web design company from Boston, can easy breach HIPAA regulations. The report on the HHS “Wall of Shame” shows that 15,000 individuals were affected by a data breach, caused as a result of the company’s failure to ensure that one of its subcontractors, Hosting.com, had secured the server it was leasing. The breach affected patients at three healthcare organizations.
The take home message from the recent data breaches to hit small healthcare providers and their Business Associates is “shape up or pay up.” Once the Omnibus Rule is enforceable, a compliant made to the HHS’ Office for Civil Rights could trigger an investigation. If the OCR investigators uncover HIPAA violations, and certainly if a HIPAA violation caused a data breach, financial penalties are highly probable, regardless of whether a company is a multiple-hospital system or a small web development company.