Is your business compliant with HIPAA? Would it pass a compliance audit with flying colors – or face hefty penalties?

A scary percentage of group health plan sponsors aren’t complying with the Health Insurance Portability and Accountability Act (HIPAA). According to Buck’s HIPAA Readiness Survey of 31 companies, only 39% of respondents had updated their privacy and security policies and procedures in the last year.

In terms of HIPAA training, only 42% of respondents had provided training to their workforce in the last year. Conversely, 35% stated the last HIPAA training was between one and five years ago, while 13% only provide training during onboarding. The remaining 10% didn’t even know when their last HIPAA training took place.

Those are some concerning responses. Although the sample size is somewhat small, it doesn’t seem farfetched to assume we’d see similar results across a bigger pool. It’s a dangerous trend that needs to be reversed. Unprepared companies aren’t just risking hefty penalties – they’re also risking possible data misuse and breaches if IT infrastructures aren’t up to snuff.

That, my friends, can be costly.

HIPAA violations can range anywhere from $100 to $50,000 per violation.

The financial damage of each violation depends on severity and frequency, but it can be expensive. Here are a few recent examples from the last couple of years:

  • Touchstone Medical Imaging: fined $3 million after exposing PHI of over 300,000 patients.
  • University of Rochester Medical Center: fined $3 million after failing to encrypt mobile devices
  • Anthem: fined $16 million after failing to take “substantial corrective action” following the largest healthcare data breach in U.S. history, which exposed PHI of approximately 79 million people.

Prudent healthcare companies will want to comply.

How to become HIPAA compliant

I can’t copy and paste all the HIPAA text here but that being said, here are three areas to focus on:

  1. Privacy Rule – addresses standards around protected health information (PHI).
  2. Security Rule – specifies preventative actions that covered entities and their business associated must take to protect electronic PHI.
  3. Breach Notification Rule – provides procedures for handling data breaches.

Per the Compliancy Group, there are six processes that can help companies reach HIPAA compliance.

  1. Self-audits
  2. Remediation plans
  3. Ongoing training
  4. Documentation
  5. Business associate management
  6. Incident management

Data security isn’t an option, it’s mandatory. In the digital age, companies have mountains of sensitive data about their operations, their clients, their suppliers, their employees, and so on. If you’re not convinced, check out our post on the importance of data protection and possible safeguards.