Most physicians look at HIPAA in the wrong way.
The wrong way is to take HIPAA as the “dang government requirement” that “nobody understands”.
A couple things with this:
- When you make the choice to take money from the government (Medicaid/Medicare or EHR reimbursement money), whether you like it or not, you also make the decision to live with the “crazy” regulations that come from our government…
- Most HIPAA requirements actually make good business sense…
The sooner you view HIPAA as a risk reduction process for you and your practice, the better off you will be.
Let’s take for example this situation at Phoenix Cardiac Surgery, P.C. in Arizona.
What this office screwed up is they had their scheduling calendar on the internet, not password protected.
I’m sure someone thought this was a great idea, but as they obviously lacked proper HIPAA training, they didn’t realize this is bad.
Here are a few quotes from the investigation:
“The investigation found that the practice had few policies and procedures to comply with the privacy and security rules.
“…it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules”
” the practice did not implement adequate policies and procedures, document employee training, identify a security officer, conduct a risk analysis, or obtain business associate contracts with Internet-based email and calendar services”
Oh, and don’t forget the $100,000 fine, which quite frankly is tiny compared to what it could have been.
So, listen up doctors, practice manager…anyone at a practice…it is time to get your act together. Get compliant now while you don’t have huge fines to also deal with PLUS the CMS breathing down your neck…for years to follow.