FINANCE
Data Protection
David Mercy
CIVIL MONETARY PENALTIES :
Covered entity or individual did not know ( and by exercising reasonable diligence would not have known ) the act was a HIPAA violation .
$ 100 - $ 50,000 for each violation , up to a maximum of $ 1.5 million for identical provisions during a calendar year .
The HIPAA violation had a reasonable cause and was not due to willful neglect .
$ 1,000 - $ 50,000 for each violation , up to a maximum of $ 1.5 million for identical provisions during a calendar year .
The HIPAA violation was due to willful neglect but the violation was corrected within the required time period .
$ 10,000 - $ 50,000 for each violation , up to a maximum of $ 1.5 million for identical provisions during a calendar year .
The HIPAA violation was due to willful neglect but was not corrected .
$ 50,000 or more for each violation , up to a Maximum of $ 1.5 million for identical provisions during a calendar year .
Note that fines have gone well above these limits : Advocate Health System : $ 5.55 million . CIGNET : $ 4.3 million . N . Y . Presbyterian Hospital / Columbia University : $ 4.8 million ( N . Y . Presbyterian hit again for $ 2.2 million 6 years later ). Triple-S $ 3.5 Million . University of Mississippi Medical Center : $ 2.75 million . Oregon Health & Science University : $ 2.7 million . Plenty of others have paid the $ 1.5 million and above .
There have been prison sentences and terminations to consider : 6 doctors and 13 employees of UCLA Medical Center were fired for merely looking at Britney Spears medical records when they had no legitimate reason to do so . Better to look at her album covers and not kill your career .
DATA PROTECTION : THE FIVE MOST CRITICAL DO ’ s and DON ’ Ts
DO encrypt ALL patient information . Data should automatically encrypt when it ’ s backed up to the cloud , but you need to ensure that all data on your office network is encrypted as well . Faithfully encrypting your data makes some of the following irrelevant .
DON ’ T leave unencrypted data on mobile devices ( laptops , iPads , iPhones etc .) Just ONE example : The theft of one of these devices with unencrypted ePHI incurred a $ 50,000 fine for a Hospice in Idaho . If found to have poor risk analysis and office policies , like a Massachusetts Eye and Ear Infirmary , fines could reach $ 1,500,000 .
DO take care with passwords : Make them hard to guess ( 1234 or 4321 just doesn ’ t cut it ) – make it easy for YOU to remember : ‘ My anniversary is May 23 ’ becomes Mai523 - it ’ s harder to crack , plus you ’ ll never forget your anniversary . Don ’ t write them down , share them or use the same password for everything , because when cyber thugs crack it , they have the keys to your kingdom and the looting begins .
DO take notice of ANY email anomalies : If something is off , different than the norm , a red flag needs to go up - a different format for a vendor ; if there ’ s a link or attachment where usually there isn ’ t one , for example in a PDF file ; any message from within your company that is unusual – someone may have spoofed ( copied ) the email address . THINK TWICE before clicking any links or attachments !
29 TODAY ’ S PRACTICE : CHANGING THE BUSINESS OF MEDICINE