Getting risk assessment done is not enough to secure protection from HIPAA law violations. This is true whether you are a medical service provider, or an individual that didn't know (and by exercising reasonable diligence, would not have known) that you violated HIPAA, by keeping medical information in an unencrypted manner on your hard drive.
In this case, you may get penalized by Medicare; these penalties are huge, with a minimum of a $100, and $25,000 for repeat violations. Furthermore, the State Attorney General Office can penalize you up to a maximum of $1.5 million dollars.
Theft of unattended PHI (protected health information) is quite common for service providers, and especially staff working from home. For example, your nurse could store their laptop in an unattended exam room, and the next patient could easily steal or copy sensitive information onto a USB.
Or maybe your children used your laptop and left it out somewhere, or took it to school. Unfortunately, even a disgruntled employee could possibly leak this valuable information. The security of PHI can literally be compromised anywhere.
What You Can Do to Ensure Compliance
The easiest way to encrypt PHI Data is by using standard, Windows-based Bitlocker encryptions. These are easy to manage and can be done locally in each laptop or computer that has TPM installed. Today, most computers have this default feature built into the Bios. If you are not aware of this feature, you can call your hardware vendor or ask the vendor to install it.
There are several other, third-party solutions available, as well. Those who think they are using a cloud-based EHR, and that this is not a concern, still need to pay attention. If you are using a cloud-based EMR or EHR system, you may be surprised to know that you have tons of data, such as images, faxes and temporary files, stored on a local computer or laptop.
If you need to know more about HIPAA rules of violations enforcement, please check the state omnibus law, as well.
The Department of Justice concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals, such as directors, employees or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA, in accordance with principles of "corporate criminal liability."
Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy, or aiding and abetting.