The answer to this question is pretty straightforward: the consequences of NOT complying with HIPAA regs can be absolutely devastating to a company.
One case that really stands out to me involves a health care entity that was fined $2.5 million after a laptop with electronic protected health information (ePHI) was stolen from an employee’s vehicle. It turns out that the company had an insufficient risk and management process in place and its policies for implementing HIPAA standards, including mobile devices, were still in draft form.
To me, this has served as an important reminder for how all entities within HIPAA’s jurisdiction – including health plans – need to understand the rules and be vigilant about following them. This means everything from knowing the specific requirements under the privacy and security rules to completing the necessary risk analysis and ensuring that the proper physical/administrative safeguards are in place when it comes to protected data.
For health plans specifically, it’s not just important for the benefit administrators to adhere to the HIPAA rules. Compliance is also essential for a plan’s vendor partners who have access to any member info.
The number of HIPAA audits has gone up in the last few years, and large-size companies aren’t the only ones that the Department of Health and Human Services has targeted. Any organization that is subject to HIPAA law can face an audit and should be prepared for one.
Non-compliance isn’t worth the risk or the potential consequences and hefty price tag that can come with it. Can you imagine paying $2.5 million for HIPAA violations that could have easily been avoided?