Why HIPAA compliance is a growing concern for NEMT providers
HIPAA compliance is a growing concern for many businesses, and NEMT providers are no exception. The HIPAA Security Rule requires covered entities to take specific steps to safeguard electronic Protected Health Information (ePHI), and failure to comply can result in significant fines. In this article, we’ll discuss the importance of HIPAA compliance and how NEMT operations can ensure they are meeting all of the necessary safeguards.
It is also essential for NEMT organizations to fully comprehend the breadth of the requirements in order to avoid non-compliance. These requirements extend beyond simply sending drivers and other workers through so-called “HIPAA Training” and signing business associate agreements.
While many NEMT providers have signed business associate agreements with brokers and vendors, established HIPAA Compliance Officers, and implemented numerous safeguards via technology, a significant number of NEMT providers are not fulfilling the federal criteria, particularly when it comes to having required documented policies and procedures as prescribed by law.
What the government has to say
According to the US Department of Health & Human Services (HHS), as part of HIPAA Security Privacy Rule, “A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”
The Department of Health and Human Services has further emphasized that all covered organizations must have policies in place that limit the uses and disclosures to the absolute minimum necessary, restrict access and usage of ePHI based on job responsibilities, take steps to ensure a policy for notifications about its privacy practices, and address disclosure and request for disclosure procedures. These policies are generally the most lacking or non-existent area of compliance for NEMT providers, although other areas of compliance remain and issue for some in the NEMT industry.
For example, while some NEMT companies have policies and procedures in place to protect ePHI during transportation, these same companies often do not have policies or procedures related to the safeguarding of ePHI when it is stored on company devices, including computers, tablets, phones, etc.
This is a critical area of concern, as mobile devices are increasingly being used to perform core operational tasks with access to ePHI, and many NEMT providers allow by encouraging or even requiring their employees to provide their own mobile devices, and even dispatchers to use home computers, often times without being able to ensure appropriate encryption, user access controls, and other required safeguards.
Even if a company can establish appropriate technological safeguards, it may not be sufficient to fully protect the organization and guarantee accountability and compliance under HIPAA and other privacy laws.
Fines and enforcement for non-compliance
Entities who are found with violations under the HIPAA Security Rule are subject to civil or criminal charges, and can be fined up to $50,000 per violation, with a maximum of $25 million dollars in penalties for all violations of an identical provision during a calendar year.
As the Department of Health and Human Services Office for Civil Rights (OCR) has stepped up its enforcement activities in recent years, NEMT providers must be extra vigilant in their efforts to comply with HIPAA and other patient privacy laws.
OCR has collected over $28 million in settlements and judgments from HIPAA-related cases in the past three years, with the average settlement exceeding $650,000. The OCR also recently announced its first ever “no-fault” settlement in which it did not find any evidence of willful neglect, but still fined the covered entity $650,000 for multiple HIPAA violations.
This sends a clear message that OCR is willing to levy significant fines against NEMT providers who are not in compliance with HIPAA, even if there is no evidence of malicious intent or negligence.
Additionally, given the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state attorneys general now have the power to prosecute HIPAA-covered businesses for violating PHI disclosure obligations and can file civil lawsuits in federal district court. The maximum fine that may be levied at the state level for a single HIPAA violation is $25,000.
For many NEMT providers, this would result in the majority of them having to close their doors and being placed at risk of exclusion from federal Medicaid/Medicare programs.
What we do to help
Mobility Route is focused on not only ensuring our relationships with our customers meet required compliance under the law, but to also take that extra effort to provide education and guidance so our customers can feel better about their own level of compliance, reduced risk, and being prepared when an audit does happen.
However, all NEMT providers should always be prepared for the possibility of a HIPAA audit, and take the necessary steps to ensure your organization is fully compliant with all aspects of the HIPAA Security Rule.
Even though HIPAA compliance can be a daunting task for many NEMT providers, it is critical that they take the necessary steps to protect patient information. By understanding and implementing the safeguards required by HIPAA, NEMT providers can help to protect themselves and their patients from potential privacy breaches.
- HIPAA compliance is critical for NEMT providers, as they are often handling sensitive patient information
- NEMT providers must take steps to ensure their organization is in compliance with HIPAA Security Rule
- Fines for not being in compliance with HIPAA can be significant, and could result in the closure
HIPAA is a critical concern for NEMT providers, as the compliance requirements can be daunting and costly to meet. Yet, with the increasing focus by the Department of Health and Human Services on enforcement activities, it is essential that all NEMT providers take steps to ensure they are in compliance with HIPAA and other
Did you find this article helpful? Share it with your colleagues! And be sure to check back soon for more blog posts on a variety of NEMT topics.