Small business are not ‘under the radar’ of government enforcement for HIPAA privacy and security rules. Not only is the government issuing meaningful fines to small businesses for non-compliance with these data privacy rules, they are explicitly stating that regardless of the size of the firm, whether a small physician’s office or insurance broker, they will hold everyone accountable.
In May 2012, American Medical Association news staff reported that a small cardiac surgery practice, a five-physician operation, received a $100,000 HIPAA fine for posting surgery and appointment schedules on an Internet-based calendar that was publicly accessible.
In our discussions with smaller firms, we have heard some prioritize client data privacy as low priority due to their perception that that they were too small for the government enforcement agency to bother with. Think again. Leon Rodriguez, director of the HHS Office of Civil Rights, the enforcement arm for HIPAA, stated, “the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” OCR has fined hospitals, health plans and pharmacies assessing civil monetary penalties of more than $1 million each.
The government investigation of this small physician’s office found that the medical practice failed to:
1. implement adequate policies and procedures to protect patient information;
2. document that it trained employees on HIPAA Privacy and Security Rules;
3. identify a security official within the practice and conduct a risk analysis; and
4. obtain any business associate agreements for its Internet-based email and scheduling services.
Using RPost protects the organization as it addresses these points. RPost is unique in that its Registered Email service includes (a) simple to use email encryption and (b) proof of fact of encryption. This combination not only assures compliance, but provides evidence of compliance for the auditors, to protect from fines in the case of an accusation of a data breach. RPost now offers data privacy and encryption training programs with employee certifications, to help companies document that it trained employees on HIPAA privacy and security rules. RPost was the winner of the World Mail Award for best in security, and rated #1 by The Council of Insurance Agents and Brokers in their Email Encryption Buyers Guide for the last two years.
In The Council’s Email Encryption Buyer’s Guide, they focus on the importance of “Auditable Proof of Compliance” to protect from fines associated with claims of a data breach.
They state, “Auditable proof of compliance: It seems that only RPost has a robust mechanism in place to provide an auditable record of precisely what message content (body text and attachments) was in fact sent and received in an encrypted manner to each intended recipient. This is important because, in the case where there is a data breach after the email has reached the recipient (in the recipient’s environment, or after they have passed the information along to others), the sender will need to retain information to prove that the breach did not happen “on their watch” – that they in fact complied with the data security requirements and delivered the information in a compliant, encrypted manner. RPost addresses this issue by having built its encrypted email service on top of its core Registered Email® service, which The Council endorsed in 2004 as the best way to prove email content, time, and delivery with court-admissible records. By doing this, RPost provides not only effective encryption, but also the most robust proof and record of compliance with the rules of regulators. We believe this is an important (and often overlooked) evaluation criterion, especially considering that Council members have placed a high value on encrypted email services fulfilling the need to protect them from fines in the case of a data breach. RPost is the only provider evaluated that fulfills this requirement.”
Nelson Mullins: RPost Legal Opinion for HIPAA Compliance