While many healthcare covered entities (such as physicians and physician practices) believe they are compliant with the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules, the ACH settlement: i) underscores that healthcare covered entities need to proactively and robustly consider HIPAA compliance (i.e., revisiting/improving previously adopted HIPAA policies and procedures or developing new HIPAA policies and procedures (if not previously prepared), continually implementing and improving security measures, performing robust risk analyses to identify and mitigate all potential risks and vulnerabilities, training staff, etc.); and ii) demonstrates that even the failure to have one Business Associate Agreement in place with a business associate can have significant financial and reputational repercussions following an OCR investigation.
It is highly recommended that covered entities consider how much attention has been given to overall HIPAA compliance (before a breach of protected health information or the discovery that the covered entity failed to implement a HIPAA requirement). Although investing resources in HIPAA compliance, security safeguards, and training now does not necessarily have an immediate return on investment, proactively addressing HIPAA compliance will help mitigate potential damages (financial and reputational) in the future.
Aaron J. Beresh, Esq. is an attorney with The Health Law Partners, P.C., and represents healthcare providers and practices in almost all areas of healthcare law with a particular focus on corporate/transactional matters, regulatory, and privacy/security matters. Aaron can be reached at (248) 939-0463.
This blog post is for general informational purposes only, and does not constitute legal advice.