How Do You Know When an Attorney Has Gone Agains Hipaa Laws

Published on June 17, 2021

Practice you know what happens when a practitioner commits a HIPAA violation and is reported to the Office for Civil Rights (OCR)? Do y'all know what y'all would do if a client filed such a report confronting y'all?

As a healthcare practitioner, you're enlightened of the importance of following HIPAA rules to protect your clients' data and, hopefully, sign upwards for services like Hushmail to assist you maintain your compliance. However, fifty-fifty if y'all're doing your best to follow the rules, you could inadvertently make a mistake.

In today's post, we're taking a look at HIPAA violations: how they occur, how they are reported, what happens during and after an investigation, and what yous can do to prevent a complaint from being filed in the start place.

What's a HIPAA violation?

A HIPAA violation occurs when a covered entity fails to comply with any provision of the HIPAA Privacy, Security, or Breach Notification Rules. There are numerous means you can commit a HIPAA violation. Here are some of the most common, as listed in this informative HIPAA Periodical article: What is a HIPAA violation?

• Impermissible disclosures of protected health data (PHI)
• Unauthorized accessing of PHI
• Improper disposal of PHI
• Failure to manage risks to the confidentiality, integrity, and availability of PHI
• Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
• Failure to enter into a HIPAA-compliant business acquaintance agreement with vendors earlier giving access to PHI
• Failure to provide patients with copies of their PHI on request

How is a HIPAA violation reported?

Even if you lot do your best to follow the rules, mistakes can be made, and misunderstandings happen. If a client thinks there has been a violation, they can file a complaint with the OCR past post, fax, e-mail or via the OCR Complaint Portal.

They volition need to submit the proper noun of the covered entity (which would be you lot) and any business associate involved, and describe the perceived violation.

The report needs to be filed within 180 days of when the client believes the violation occurred. Notwithstanding, the OCR may extend the 180-solar day flow if the complainant can evidence "expert crusade."

Yous tin visit the OCR website to download the forms and for boosted information near how someone can file a complaint.

What happens after a complaint is filed?

After a complaint has been made to the OCR, the next step is an investigation. According to the United states Department of Health and Human Services (HHS) explanation virtually How OCR enforces the HIPAA Privacy & Security Rules:

If OCR accepts a complaint for investigation, OCR volition notify the person who filed the complaint and the covered entity named in information technology. Then the complainant and the covered entity are asked to present information nearly the incident or problem described in the complaint. OCR may request specific information from each to go an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

Later the investigation, OCR will consequence a alphabetic character with the results of the investigation. If it's found that you, the practitioner, did not comply with the HIPAA rules, then you must agree to one) voluntarily comply with the rules, two) take corrective activity if necessary, and iii) agree to a resolution. According to the HHS:

A resolution agreement is a settlement agreement signed by HHS and a covered entity or business concern associate in which the covered entity or business acquaintance agrees to perform certain obligations and make reports to HHS, generally for a period of 3 years. During the period, HHS monitors the covered entity'southward compliance with its obligations. A resolution understanding may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity'south demonstrated compliance or corrective activity through other informal means, including a resolution agreement, civil coin penalties (CMPs) may be imposed for noncompliance against a covered entity.

What about penalties?

The CMPs can exist significant depending on the category, or tier, of the violation.

Tier	Clarification	Fine
1	The covered entity was unaware of and could not accept realistically avoided the violation fifty-fifty if a reasonable amount of care had been taken to abide past HIPAA Rules.	Minimum fine of $100 per violation upwards to $50,000. OCR has the discretion to waive a financial penalisation for cases where the practitioner could not have been expected to avert a data alienation.
2	The covered entity should have been aware of the rule and able to avoid committing the violation merely committed the violation due to reasonable cause, not "willful neglect."	Minimum fine of $one,000 per violation up to $l,000.
3	The covered entity committed the violation due to willful neglect but has attempted to right the violation in a timely manner.	Minimum fine of $ten,000 per violation upwards to $50,000.
four	The covered entity committed the violation due to willful neglect and did not endeavour to correct the violation.	Minimum fine of $fifty,000 per violation.

What y'all tin can do to ensure your do is compliant

As you lot can see, while the process of filing and investigating a complaint is fairly straightforward, there is plenty of room for interpretation. Fifty-fifty at the lowest tier, penalties tin can be significant, or waived entirely if it's decided that you couldn't reasonably have been expected to avoid the situation giving rise to the violation. However, the biggest cost may be in beingness subject to OCR monitoring for the menstruum agreed to in the settlement agreement.

Therefore, it's best to be proactive when it comes to complying with HIPAA rules. Keeping compliance at the forefront of your practice management ensures that your clients' data is protected and helps you avoid penalties.

Here are six basic tips that will help you check the compliance boxes and respond effectively if a complaint is always filed against you.

• Overall, protect your clients' PHI
• Get signed Concern Associate Agreements from all 3rd-parties that might handle your clients' PHI
• Employ encrypted communication services such every bit Hushmail email and web forms
• Conduct a take a chance cess to place places where your clients' PHI might exist vulnerable and act on the results of the take chances assessment
• Make information technology easy for your clients to request their wellness data
• Go on records of what you're doing to meet HIPAA standards
• On condign aware of a compliance event, deal with it in a timely manner and don't let information technology become the subject of a complaint

You tin can read more about what you can do to support your HIPAA compliance in our web log post HIPAA and your private practise: the blank minimum y'all need to know.

Need a HIPAA-compliant email and web form service?

pollackalownd.blogspot.com

Source: https://blog.hushmail.com/blog/what-happens-when-a-hipaa-complaint-is-filed-against-you

Share this post