In a previous post, I highlighted a key vulnerability for mental health professionals and other healthcare providers who use online software like QuickBooks Online or Xero for their bookkeeping — the fact that these systems are not HIPAA compliant.
The US Dept of Health and Human Services has recently published a rule reducing the annual limits on penalties for most violations. Violations are grouped in four tiers: 1) No Knowledge, 2) Reasonable Cause, 3) Willful Neglect – Corrected, and 4) Willful Neglect – Not Corrected. Under prior rules, the annual limit on penalties was $1.5 million for all four tiers. The new annual limits are $25,000, $100,000, $250,000, and $1.5 million respectively.
Despite the lower annual limits, the consequences of HIPAA violations remain considerable. Each individual instance of a violation is subject to penalty. Individual violation penalties range from $100 to $50,000 for Tier 1, $1,000 to $50,000 for Tier 2; $10,000 to $50,000 for Tier 3; and $50,000 in all cases for Tier 4.
For example, consider a therapist whose business books are kept on a non-compliant platform. If those books contain Protected Health Information of 20 clients, the therapist could be subject to 20 such penalties, up to the annual limit. It is crucial to protect yourself by using HIPAA-compliant EHR systems to house patient data, and working with a bookkeeper who knows how to maintain compliant business records.
Read the new HHS ruling here: https://www.govinfo.gov/content/pkg/FR-2019-04-30/pdf/2019-08530.pdf
Curious to learn more about what constitutes a HIPAA violation? I recommend this article: https://www.medprodisposal.com/20-catastrophic-hipaa-violation-cases-to-open-your-eyes