January 15, 2019
Dear client,
We are happy to share with you Mandelbaum Salsburg’s (the “Firm”) Health Insurance Portability and Accountability Act of 1996 (HIPAA) & Privacy Initiative (the “Privacy Initiative”), which the Firm has recently begun offering to healthcare clients. Our healthcare attorneys are constantly looking for ways to better serve you and your business’ needs. As such, in lieu of hiring an in-house privacy officer, the Firm, through its Privacy Initiative, will provide you with an attorney who will perform all of the same functions that a privacy officer would, at a substantially lower cost.
The costs for implementing appropriate HIPAA Policies and Procedures make it easy for Providers to consider them an unnecessary burden. However, it is important to understand the potential penalties providers face for failure to comply with HIPAA. While a $1.5 million dollar fine is the largest statutorily- prescribed penalty that a provider can face; some of the largest settlements vastly eclipse this total.
Small businesses and solo providers are not immune, and we have seen an increase in penalties for non-compliance. In 2017, a small provider settled for $31,000 in restitution to the federal Department of Health and Human Services (HHS) for failure to have a “Business Associate Agreement” with a vendor that had access to patient records. Also in 2017, a health center reached a $400,000 settlement with HHS, based on the health center’s lack of security for electronic patient records. Please note that both of these practices had to pay fines, even though neither of these practices ever had a breach of their patient records. Beyond monetary penalties, the Office of Civil Rights (OCR) can post the identities of Providers who have had breaches larger than 500 persons on their website for public viewing (their “Wall of Shame”). Having a breach in excess of 500 patients is far simpler in the era of spreadsheets and electronic medical records.
HIPAA established the need for administrative, physical and technical safeguards. The linchpin of these requirements, albeit requirements that are often overlooked, is the “Risk Assessment.” Performing a Risk Assessment involves the review of the administrative, physical and technical safeguards that the business has put in place to protect their records. Simply having a modern electronic health record (EHR) system is not enough security.
HIPAA provides that healthcare providers, as well as any vendor who accesses patient information, must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” As such, a Risk Assessment is a legally required security measure and best practices dictate it should be performed annually.
In addition, the HIPAA statute requires entities to assign a security official, implement written policies for workplace security, for access to electronic protected health information, and to address security incidents and/or breaches. Businesses must implement training on these policies and be prepared to follow through on them.
For a fixed fee, Mandelbaum Salsburg will provide everything that your business needs to get started with HIPAA compliance. This package of services includes a security risk assessment, a custom set of HIPAA Policies & Procedures, a custom prepared Security Breach and Incident Response Policy, training for Senior Management, and a Privacy Officer (the “Basic Compliance Package”). By selecting our Basic Compliance Package, your practice will quickly be put onto the road of compliance with HIPAA.
In addition to everything in our Basic Compliance package, for an additional fee, we will provide a more advanced compliance program, whereby we prepare additional Cyber Security Policies & Procedures to address the overall security architecture of your practice, and we partner with a digital security team to simulate an actual attack against your information technology infrastructure. Lastly, we review any Cyber-Insurance Policies and other insurance policies to ensure that you have adequate protections.
For more information on this new service offering or if you have any questions, please contact:
Mohamed H. Nabulsi, Esq., Shareholder
Mandelbaum Salsburg P.C.
3 Becker Farm Rd., Suite 105, Roseland, NJ 07068
t. (973) 736.4600 x345 | f. (973) 325.7467
d. (973) 243.7933
c. (973) 979.1150
