Really! Fire your CPA and hire your HIPAA consultant.
Here’s why it makes sense:
- Your operating budget is really tight; something/someone has to go.
- Yes, accounting standards and tax law are HIPAA (HITECH, & Omnibus) have over 100 laws and regulations to comply with. Like the IRS, the laws are complex and subject to interpretation. But, with each HIPAA law or regulation, you have to assess any vulnerability, the likelihood it will happen, the number of patient records that could be breached, what you are going to do about correcting it and … when.
- But, what’s the worst that can happen if the tax return you file is wrong? You may be called into an audit and might face added taxes & penalties. Compare that to an OCR penalty ranging from a few thousand dollars to $1.5 million per year of non-compliance (they WILL look back), significant – if not enormous – follow-on costs of public notification, credit card insurance to the patients affected, public revelation you violated your patients’ privacy, and likely loss of patients. Oh, and your business associates and suppliers are also vulnerable to audit because of YOUR inability or unwillingness to comply.
- Information for tax returns is compiled by a few skilled employees more-or-less on a continuous basis with a quarterly and annual filing. HIPAA compliance must be maintained on a day-to-day basis by everyone on staff. The Office of Civil Rights (OCR) calls that the “culture of compliance”. Even a “small” infraction can precipitate a complaint to the OCR and a desk audit. And, then, the “fun” really starts!
- An egregious finding by the IRS could put you in Tax Court, but you can almost always negotiate with the IRS. The HIPAA laws are regulations; violating those laws means a regulatory proceeding that is NOT subject judicial review. You have no right to legal representation, nor have any legal recourse to reversal or negotiation. True, the OCR is looking for compliance, not punishment, but swings an enormous stick backed-up by the Congress of the United States. You have no presumption of innocence. You have to comply with OCR demands for records, and YOU have to prove your innocence/that you are compliant.
Good luck …