How HIPAA Mistakes Can Cost Your Botox Business Millions

The HIPAA Act & Your Botox Business

Last month’s Equifax breach made international headlines. Not only were the private records of more than 143 million Americans exposed, it’s now rumored that it occurred due to a known flaw in the system. In fact, the company itself has narrowed down the brunt of the blame to one individual.

A major story to be sure, but one within a business that’s subject to a different set of penalties than aesthetic clinics and others accountable to HIPPA Law. Unlike other cyber hacks and security breaches of customer data, PHI falls under the jurisdiction of the Office for Civil Rights (OCR). The privacy of health records is a Civil Right’s issue for US citizens and this fact can complicate an already serious situation when data leaks occur.

In addition they may not come from where you would expect, insurance and security giant, Beazley reported the following regarding healthcare breaches:

September has been the 2nd worst month in 2017 for PHI breaches. This highlights some disturbing facts and what could be the beginning of more intense penalties for aesthetic businesses that don’t display an adequate level of diligence in protecting patient rights.

The OCR is giving a growing number of states, specifically the Attorney General’s Office,  jurisdiction to determine fines as well as criminal charges for practices that see PHI breaches. One interesting aspect of this arrangement is that a possible percentage of damages will be awarded to the AG’s office when a ruling has been determined.

The definition of negligence is also expanding. The OCR is growing weary of medical organizations that use ignorance of HIPAA rules or an outside business associate’s errors to dodge responsibility for ransomed or carelessly exposed PHI. 

The clear problem with this fading tolerance is that HIPPA rules are complex. The Act itself has gone through a myriad of revisions since it’s inception in 1996. Regulators are struggling to keep pace with cyber and phishing scams, leaving little room for sympathy when a clinic is not following minimum security protocols. 

Below is just a taste of PHI breaches that occurred in August of this year

• Georgia’s RiverMend Health had an unauthorized email breach possibly exposing up to 1300 patient records to an unauthorized user. The hack was discovered on August 10th and the account was promptly shut down the next day. Further inspection shows that the unauthorized user had actually gained access on July 27th.

• As many as 16,562 patient records were open to exposure from a phishing scam on August 2nd and 3rd. Employees of Chase Brexton Health Care were sent bogus emails cloaked as company surveys and several workers were duped into entering their confidential user information.

• When staff returned to work at Ashland, MI-based Namaste Health Care on Monday, August 14 they discovered that a large number of patient files had been infected with ransomware. Sadly, Namaste Health Care was forced to pay the attacker’s ransom demand in order to recover their data.

Whether a breach is caused by clinic negligence or an unavoidable hack, it opens the business up to an audit of their HIPAA compliance and can result in any number of government penalties. Clinics with HIPAA breaches that involve 500 or more patient records are also federally obligated to report them to both Health and Human Services as well as the media. 

In short, when you are setting up your Botox Aesthetic business your liability goes beyond that of a typical company, and unlike Equifax, negligent actions of an employee can still fall squarely on your shoulders. A solid understanding of HIPAA as well as an extensive security platform needs to be on the top of your priority list.

 As a special thank you from Aesthetic Record, please download a free copy of our Botox vs.Dysport eBook with a Triple Blind Study Breakdown.

 {{cta(‘0d3263f9-1512-4835-86d5-5288911d702d’)}}