Scrappy CEO Facing Compliance Violations

Rescues Business With Auditors Only Days Away. Passes Along Sage Advice.

To protect his identity, we’ll call him Charles “Wink” Carboni. He owns a medical practice and is recognized by The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) as a healthcare provider.

In his industry, under federal law, Mr Carboni’s medical practice is mandated by the United States federal government to adhere to all rules, regulations, and any federal law with regards to HIPAA compliance.

Simply put, under the Health Insurance Portability and Accountability Act (HIPAA) enacted by the United States Congress in 1996, a healthcare provider must, at all costs, protect patients’ medical records and other sensitive healthcare information.

Knowing of the federal requirements, Charles had been dodging the bullet for years. Wink knew he might be facing some severe compliance issues if audited. Possibly HIPAA fines, if an audit turned up violations. He knew his IT systems, Security Protocols, and processes needed significant upgrades to meet compliance.

However, no one from or at the federal level ever reached out to inspect his systems. No audit letters or notices were mailed or emailed. No one called or stopped by and none of his partners, vendors or anyone else in his supply chain ever mentioned being notified.

As time passed by, his concern for compliance and upgrades became lax. Charles decided he’ll wait and face it when the Department of Health and Human Services sent their notice.

Well, That Day Did Finally Arrive.

As he sifted through his daily mail stack, one envelope caught his eye. Looked plain and white, but official. After opening and pulling out the tri-folded paper, The Department of Health and Human Services’ letter began with:

“Dear Mr. Charles Carboni:

“The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has responsibility for administration and enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules (45 CFR Part 160 and Part 164 Subparts C and E)…

“…These rules are designed to provide important health information privacy and security protections and rights for individuals. The OCR is committed to developing and enforcing strong health information privacy protections that do not impede access to quality healthcare.”

Then Wink read the words he hoped would never come.

At the bottom of the second paragraph, a 17-word sentence made his heart sink: “You are receiving this letter because OCR has selected [Charles’ company] to be the subject of an audit.” Finally, it was happening.

As Mr Carboni read further, the letter advised him, he would receive another letter. It would explain how the program works and what outside source would be conducting the independent audit. The message went on to advise him of a pre-audit questionnaire, which Charles had ten business days to complete and return.

And finally, near the bottom of the document read, “the Department of Health and Human Services would schedule the audit, and that audit could last from three to 10 days.”

With an Audit Deadline looming, Wink found himself in a bit of a fix.

This information couldn’t have come at the worst possible time. Charles was busy, shorthanded and upgrades were not in this years’ budget. But if there were any HIPAA violations, he would have steep penalties to pay, so he had to face it.

Knowing the audit was coming, he needed to find some quick answers. Through his research, Charles discovered he was responsible, not just for himself, but for the compliance of his business associates, who have access to his sensitive data. That meant, partners, vendors and his current IT provider.

The more Wink searched, the more concerns arose. For example, he was shocked to discover; there are five separate HIPAA compliance rules he wasn’t aware of and probably not compliant.

They are:

  • Security Rule
  • Privacy Rule
  • Enforcement Rule
  • Unique Identifiers Rule
  • Transactions and Code Sets Rule

Then he uncovered three, HIPAA Security safeguards; he didn’t know.

They are:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards

As Charles searched continued, he came across the website for KalioTek.

What grabbed his attention was the information he found on their Compliance & Regulatory Consulting page. But more importantly, the HIPAA compliance support section pointed out that KalioTek itself is HIPAA compliant. Meaning this IT service provider knew how to handle all the IT, Security and Compliance issues and upgrades Charles needed assistance with, to pass his audit.

After contacting the KalioTek HIPAA expert team, he discovered they offer a continuous audit with their security engineers as part of their overall services offering. KalioTek owns the responsibility to their clients to make sure everything is compliant and secure.

It would be like getting an audit before an official inspection. Mr Carboni would partner with them, and he could outsource all his IT support with them.

After further discussions and informing them of the upcoming audit Mr Carboni turned to KalioTek to get him out of this bind and rescue his business only days before the auditors were to arrive.

Some Sage Advice Charles Wants To Pass Along To You

“Like you, I work very hard at keeping my company moving forward. There are plenty of fires to put out, just in daily operations. You know what I’m talking about when it comes to staff, patients, vendors and partners.

“But faced with an audit, which wasn’t as bad as I thought it would be, the last thing I should have done was put it off and wait until the last minute. That was nerve-racking, and I lost a lot of sleep over it.

“As the CEO it was my responsibility for doing my due diligence ahead of time. Not waiting until I received notice, as I did.

“Even though it was possible to have a typical auditor, who frequently wouldn’t check deeply, into my systems and practices, but only spot check, I was in no position to risk it.

“What I learned from all this is to stay ahead of the process. If you are a CEO, look at your entire IT system and compliance setup. Then ask yourself questions like:

  • Are my servers really being patched?
  • Are our IT systems compliant with our industry regulations?
  • Am I confident our cybersecurity protection will stop hackers, breaches, and even ransomware?

“If it weren’t for KalioTek, I’d probably be out of business.”

Talk to us