In 2011, The Department of Health and Human Services’ Office for Civil Rights (OCR) began auditing healthcare providers and business associates to determine overall compliance with HIPAA’s privacy and security laws. At a recent HIPAA security conference, OCR Director Roger Severino announced that
“The next round of examinations will be focused on enforcement and the upcoming audits will use harsher investigative tools to hold bad actors accountable.”
Enforcement for noncompliant offenders may include subpoenas, legal action, reimbursements to victims, penalties, and more. Additionally, Bloomberg Law recently reported that OCR has been ratcheting up enforcement actions over the past three years, and as random HIPAA audits occur, increased penalties will most likely result.
Edward Zacharias, an attorney with McDermott Will & Emery in Boston, told Bloomberg Law that using the audits as an enforcement tool lets the OCR be proactive in identifying HIPAA violations, rather than relying primarily on complaints and breach notifications.
Under the HIPAA Notification Rule, covered entities that experience a HIPAA data breach must self-report the breach to HHS. Some practices aren’t aware of the rules, so audits will help with compliance and overall enforcement. Penalties are no longer immaterial. Average fines range from $100 to $50,000 per HIPAA violation, and are capped at $1.5 million per year.
A common question we receive at PCIHIPAA is, “How do we get HIPAA compliant?” HIPAA compliance must be addressed continuously. It’s not a checkbox or a “one and done” process. Also, the same HIPAA safeguards required by a hospital or a health plan also apply to dentists, doctors, and their business associates. Anthem’s recent $16 million dollar HIPAA fine, and Mr. Severino’s position above, should be a warning to all healthcare providers and business associates.
OCR’s recent audit results show a lack of compliance throughout the industry. Recurring non-compliance issues include:
- Lack of execution of Business Associate Agreements
- No HIPAA Security Risk Assessment on file
- A failure to manage identified risks
- Lack of transmission security
- Lack of appropriate internal auditing
- No patching of software
- Insider threats
- Improper disposal of Protected Health Information (PHI); and
- Insufficient data backup and contingency planning
We find that less than 20% of practices that take our complimentary HIPAA risk assessment are compliant. Common risk mitigation and corrective action plans that covered entities and business associates may be required to incorporate for compliance include:
- Updating risk analysis and risk management plans
- Updating policies and procedures
- Training of workforce members
- Implementing specific technical or other safeguards
- Mitigating common risks like utilizing encryption solutions
- Improved employee and system monitoring
By attending your Complimentary HIPAA Risk Analysis Review, You will be provided with a personalized management solution.
HIPAA requires documented remediation plans. We find this important, yet cumbersome for many small to medium sized healthcare providers. Often they don’t have the resources that hospitals and larger entities possess. HIPAA remains a bad word throughout the industry, however, protecting the privacy and security of your patient information should not be a negative.
At MedPro, we want to help remove the uncertainties surrounding HIPAA compliance, and have begun to offer the OfficeSafe Compliance Platform to make it easy on you and your practice to comply with HIPAA law and survive a random HIPAA audit. In addition, we guarantee that you will never pay a fine. Our program includes a $500,000 cyber insurance policy which covers you for losses relating to a HIPAA fine, data breach, ransomware attack, and more.
Don’t be surprised by a HIPAA audit. Protect your practice by starting with a complimentary Risk Assessment and Schedule a Private HIPAA Webinar to learn about how to protect your practice and your reputation.
© MedPro Waste Disposal, LLC, 2019. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to the author and MedPro Waste Disposal, LLC with appropriate and specific direction to the original content.