By now I imagine that most have heard about Phoenix Cardiac Surgery and the settlement reached with OCR for $100,000 with OCR.
There is an article on it over at JDSupra at http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a... - it is only a few paragraphs long and I encourage you to read it. I want to point out the reasoning laid forth for the size of the fine in that article:
- PSC did not adequately provide and document training of its employees on how to appropriately handle protected health information (“PHI”).
- PSC did not have appropriate and reasonable administrative, physical and technical safeguards in place to protect patient data.
- PSC did not appoint a security officer as required by HIPAA, and did not perform an accurate and thorough risk assessment
- PSC did not obtain “satisfactory assurances in a business associate agreement” from its business associates.
The reason that I want to point this out is that if you do a proper annual HIPAA security audit and produce a resultant HIPAA manual, all of these get done. Our sister site http://www.tldsystems.com can produce one customized to your practice just by answering a bunch of questions on their site for $599 (or less if you use partner software) and they will throw in training and reminder email. Be sure one way or another to get or create a HIPAA manual, to train your staff annually and within 60 days of hiring and to remind your staff about HIPAA regularly.