You totally meant to get HIPAA compliant but it looked kind of hard and maybe too expensive so you put it off. Or maybe you just thought that no one would ever notice that you weren't HIPAA compliant. Then something happened; a patient complaint, a competitor files a complaint with HHS, a breach happens at one of your BAs, an ex employee files a complaint or you get picked for an audit.
It could start benignly with a request for certain documentation such as your risk assessment or copies of your security and privacy policies. If you can't produce these documents then you are already in willful neglect. But what if these documents are out of date or you claim that you have oral policies? Willful neglect. What if you did staff training but didn't document it? Willful neglect.
So, as you can see there are a lot of potentially dangerous scenarios. What is the definition of willful neglect? Willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR 160.401. Section 13410(a) of the HITECH Act [123 STAT.
But what are the consequences of being found in willful neglect? The answer is huge fines, action plans for maintaining compliance, bad public relations, monitors, etc. etc. The total cost of a breach has been calculated at $355 per patient record. Recently there was a $450,000 penalty for the loss of 388 patient records.
Clearly, penalties for willful neglect would cause many companies to at least consider bankruptcy. The way to avoid these draconian penalties is simple, do something. Get some on-line security awareness training for your staff. This costs as little as $20 per year per staff member. Get a risk assessment and then start updating your policies.