Northern Virginia Organization Not HIPAA Compliant? Real Costs!

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge.

If Your Northern Virginia Organization is Not HIPAA Compliant, What Will It Cost You?

Northern Virginia, Metro Washington DC, and Maryland organizations must always be compliant with HIPAA to eliminate the very high and damaging costs of violations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge.

The U.S Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule and HIPAA Security rule to implement the requirements of HIPAA and to protect information. Northern Virginia, Metro Washington DC, and Maryland organizations must always be compliant with HIPAA to eliminate the very high and damaging costs of violations.

What Are the Most Common HIPAA Violations?

It’s important to know and understand the most common HIPAA violations to prevent financial penalties and expensive lawsuits. The 5 most common HIPAA violations that have resulted in settlements with covered entities and their business associates include:

  1. Employees peeking at healthcare records of family, friends, neighbors, co-workers, and celebrities – The University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records.
  2. Failure to perform an organization-wide risk analysis to determine vulnerabilities – Excellus Health Plan was fined $5,100,000 for risk analysis and risk management failures.
  3. Failure to manage security risks due to not addressing identified risks – Alaska Department of Health and Social Services was fined $1.7 million for failure to perform risk analysis and risk management.
  4. Denying or over charging patients for access to their health records and not providing records within 30 days – Cignet Health of Prince George’s County was fined $4,300,000 for denying patients access to their medical records.
  5. Failure to implement appropriate ePHI access controls to authorized individuals – Anthem Inc., was fined $16,000,000 for access control failures and other serious HIPAA violations.

What is the Cost of HIPAA Violations?

The penalties for HIPAA violations can be severe and are based on the level of negligence. The HHS can impose a maximum penalty for violations of $1.5 million per year. Some cases can carry criminal charges that can result in jail time. Violations are broken down into 4 Tiers:

  • Tier 1 – You were unaware of the HIPAA violation and by exercising reasonable due diligence this will result in $100-$50,000 per violation.
  • Tier 2 – There was a reasonable cause that you knew about or should have known about the violation by exercising reasonable due diligence which will result in $1,000-$50,000 per violation.
  • Tier 3 – You willfully neglected HIPAA rules with the violation corrected within 30 days of discovery which will result in $10,000-$50,000 per violation.
  • Tier 4 – You willfully neglected HIPAA rules and no effort was made to correct the violation within 30 days of discovery which will result in $50,000 per violation.

The costs of not protecting PHI far outweigh any costs related to having a HIPAA program. Other data breach costs, fines, and penalties you should consider include:

  • FTC fines: $16,000 per violation
  • Class Action Lawsuits: $1,000 per record
  • State Attorneys General: $150,000 – $6.8 million
  • Patient Loss: 40%
  • Free Credit Monitoring for Affected Individuals: $10 – $30 per record
  • ID Theft Monitoring: $10 – $30 per record
  • Lawyer Fees: $2,000+
  • Breach Notification Costs: $1,000+
  • Business Associate Changes: $5,000+
  • Technology Repairs: $2,000+

How Your Virginia Organization Should Comply with the HIPAA Security Rule

The HIPAA security rule consists of 3 components that healthcare organizations must comply with and requires healthcare professionals to secure patient information that is stored and transferred digitally.

To keep patient data safe, your organization must exercise best practices in 3 areas: administrative, physical security, and technical security.

Administrative Requirements

These requirements ensure that patient data is accurate and accessible to authorized parties:

  • Designate an executive or an IT partner to oversee data security and HIPAA compliance
  • Identify which employees have access to patient data
  • Train employees on your organization’s privacy policy
  • Require all outside parties who need access to protected patient data to sign HIPAA Compliance contracts
  • Back up your data and have a Disaster Recovery (DR) plan in place
  • Perform annual data security assessments
  • Create data breach response plans that include notifying affected patients and fixing compromised IT systems

Physical Security Requirements 

These requirements help your organization to prevent physical theft and loss of devices that contain patient information:

  • Limit access to computers and keep them behind counters, secured to desks, and away from the general public
  • Monitor and Restrict access to secure areas and require visitors to sign in
  • Follow best practices when upgrading or disposing of hardware and software, including securely wiping hard drives
  • Train employees and contractors on physical safety best practices and securing cell phones and mobile devices

Technical Security Requirements

These requirements protect your networks and devices form data breaches:

  • Encrypt sensitive files your organization sends via email and ensure that any cloud-based platform you use offers encryption
  • Have firewalls and intrusion detection and prevention systems
  • Train your employees to identify and avoid phishing scams
  • Back up data in case of accidental deletion or changes
  • Require employees to periodically change their passwords and ensure passwords are long and complex and consider multi-factor authentication (MFA)
  • Prevent data entry mistakes by using redundancy techniques
  • Keep updated documentation of your organization’s technology and network configurations

Your Northern Virginia, Metro Washington DC, or Maryland organization may need to hire specialized IT services partner or consultants to help you meet the HIPAA security rule standards. Maintaining compliance requires monitoring changes in the law and upgrading outdated technologies.

NOVA Computer Solutions specializes in serving medical clinics and dental practices, including dentists, orthodontists, oral surgeons, and more. We can write compliance policies and procedures customized according to the way you work, which will keep you and your organization in compliance with HIPAA.

Our compliance services include:

  • HIPAA Consulting
  • Compliance Policies and Procedures
  • HIPAA Management, Assessments, & Data Protection
  • HIPAA Attestation
  • Compliance Training
  • PCI-DSS Compliance
  • Cybersecurity Awareness Training

NOVA Computer Solutions is your dedicated compliance team. We stay up to date on the latest HIPAA regulations and standards from the National Institute of Standards and Technology (NIST). We also stay up to date on the latest IT security threats.

We are always here to answer your questions or concerns about HIPAA, PCI-DSS compliance, and cybersecurity. Let’s talk to make sure your organization is compliant and secure. Call us at (703) 576-0956 or send an email over to info@novacomputersolutions.com.

Latest Blog Posts

Read The NOVA Blog