Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.
HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.
It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.
If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:
(1) mitigate fines under section 1176 of the Social
Security Act (as amended by section 13410);
(2) result in the early, favorable termination of an audit
under section 13411; and
(3) mitigate the remedies that would otherwise be agreed
to in any agreement with respect to resolving potential
violations of the HIPAA Security rule (part 160 of title 45 Code
of Federal Regulations and subparts A and C of part 164 of such
title) between the covered entity or business associate and the
Department of Health and Human Services.
Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.
Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.
This healthcare cybersecurity handout was created by the DHHS:
If you need assistance in navigating the maze of HIPAA, complete the contact us form at https://arismedicalsolutions.com/contact/ or call 877.659.2467 and schedule a demo of Aris’ automated HIPAA compliance platform. Documentation has never been easier, and with our customer service, you will know what is required and how to handle situations that arise.
“Simplifying HIPAA through Automation, Education, and Support”