OCR Announces Fines for Breaches Affecting Fewer Than 500 Patients

As a HIPAA compliance IT consultant I work with many small dental and medical practices that are affected by HIPAA regulations. For many years, dental practitioners and boutique medical service providers have been able to fly under the radar of the OCR (Office of Civil Rights) and not worry about audits or fines resulting from breaches. However, in 2016 the OCR began to perform random audits of all covered entities and their downstream business associates. And with the new announcement that the OCR will issue fines for breaches affecting 500 or fewer patients, we will see an even bigger focus on HIPAA compliance from these small practices.

Our service offering, PracticeProtect, has seen a recent uptick in sales as more medical service providers are made aware of the dangers of non-compliance. Where practice owners were once unconcerned with the possibility of an audit and thus lax with their security policies, we are now seeing a strong focus on compliance. Many practice owners have spent so long not focusing on compliance that they aren’t aware of just how non-compliant they are. Our first visit with a new client includes an initial HIPAA risk assessment where we cover twenty topics that are usually problem areas for a small practice. We generally find that practices are initially compliant in less than five of those twenty areas.

There are considerable investments in both time and money to become compliant. Many practices have weighed the cost/benefit ratio before and found that the risks weren’t great enough to warrant the investment. But that cost/benefit ratio is changing and I believe more and more practices will be investing in compliance over the next few years.

Read here about the first case where the OCR issued a fine for a breach that affected less than 500 patients. A laptop containing 441 patient medical records was stolen. At the time, the organization that owned the laptop had not performed a HIPAA security risk assessment, nor did they have any policies or practices in place to prevent a breach like this one. Simply encrypting the data on the laptop and password protecting the encryption would have stopped this breach. Because the organization had no procedures in place, the OCR levied a $50,000 fine. Since the breach occurred in 2010, that organization has brought itself into compliance. But they could have avoided the breach and the fine all together if they had been prepared for this. The likely cost of compliance would have been a fraction of the fine they paid.

If you are a small medical or dental practice, let J.J. Micro perform a free HIPAA risk assessment to find out where you stand with HIPAA compliance. There are no strings attached to this risk assessment. You are free to do what you like with the information we provide. We are not government auditors and do not report any security risks to the OCR. We are only here to help you bring your business into compliance.

Posted in Business, Dental, HIPAA, Security