Home » Readers Write » Currently Reading:

Readers Write: The Increasing Enforcement of HIPAA and What It Means To You

September 25, 2013 Readers Write 1 Comment

The Increasing Enforcement of HIPAA and What It Means To You
By Kent Norton

9-25-2013 6-35-21 PM

Since the inception of HIPAA and its enforcement, there have been nearly 100,000 cases or complaints investigated. Among those, many have resulted in fines ranging from thousands of dollars to more than two million. Today the fines have a cap per penalty and per calendar year, restricting the fines to $50,000 per penalty and $1.5 million per calendar year.

Fortunately, the Office for Civil Rights has allowed entities to correct the aberrations of noncompliance within 30 days if the failure to comply was not willful neglect. The likelihood that your organization is audited is small when considering that in 2012 only 150 entities were scheduled to take place. The main issue of concern is that a patient, for whatever reason, will file a complaint about HIPAA noncompliance.

With the addition of the HITECH amendments in 2009, HIPAA enforcement has been on the rise, with more than five times as many cases settling after 2009 than before 2009. HITECH has certainly done more to change the face of protected health information or PHI than HIPAA originally did.

For most organizations the first thing that should be scrutinized when considering HIPAA and HITECH compliance is a risk analysis. This is a terribly large task especially when your IT department must do their analysis while still fielding their daily IT requests. Because of the large strain this puts on an organization, a new section in the IT industry has come about to do this type of risk analysis and HIPAA/HITECH compliance implementation. It may be wise to consider employing an IT risk analysis and implementation team in order to help your organization become HIPAA/HITECH compliant as quickly as possible.

The second thing to examine about your PHI is the defense your IT department has against attacks from both internal and external fronts. An efficient and effective PHI defense needs not only intelligent, self-aware, and careful staff and policies, but also complete control of physical data and data transfer. Once these are in place, your IT department can look at how PHI is accessed and the possible avenues hackers would use to bypass the security measures that are in place. One of the most subtle possible leaks of physical data or PHI is often overlooked and that is personal mobile devices. Developing controls and checks to keep PHI from being transferred, copied, or changed via a personal mobile device can greatly improve an organizations risk of noncompliance.

Lastly, inspecting the systems you have in place in order to determine the necessary frequency of periodic risk evaluations and assessments and to develop a monitoring and security mitigation plan. Having these two systems in place will help keep your organization compliant as the IT industry evolves with the changes in health care and technology.

As enforcement of HIPAA continues its upward trend, more and more organizations will need to take a better look at how they have implemented their compliance programs. They’ll need to make sure that they have taken the right steps in order to be safe from the steep fines and penalties that could come as a consequence.

Kent Norton is a HIPAA security analyst with HIPAA One.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. We are familiar with HIPPA PHI violations. What about enforcement of HIPAA Transaction and Code Set violations. Has there ever been a fine for a T&CS violation? Has this ever been enforced? Use of HCPCS Level III codes are a clear violation of this law, and there are other violations that occur daily. Peter BArry wrote a white paper for WEDI on how Medicare’s DDE violates HIPAA Transaction and Code Set rules, until he was hired by a company that employed DDE connectivity in it’s products. Transaction and Code Set violations may represent a level of risk for both providers and payers. But only if it is enforced. If it is not enforced, why have the law?

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors






























































Gold Sponsors
















Reader Comments

  • All hat no cattle: As a strong proponent of taking a sociotechnical approach to HIT issues, I shouldn’t have been surprised by the overwh...
  • peter crowley: Comments like "Salary and benefits exist at the intersection of supply and demand" reflect a naive belief in perfect mar...
  • medicalquack: I tend to agree on the UNH/Optum Cartel as I call it. I have been telling folks for years to pay attention to what goes...
  • Sam I Am: From the latest that I read, it's a new variant of SamSam and it's been hitting other companies including a couple of ho...
  • Robert D. Lafsky, M.D.: RE data transfer item: it says “doc is changing Hosp”. To me that means a provider wanted all his pt records in Epi...
  • Money Doc: Come on, Dr. Nguyen. You are talking about "lost revenue" but you don't worry about gaps in patient care? Are you reimbu...
  • Anonymouse: You are ultimately responsible for not properly vetting your provider and signing the contract that probably states the ...
  • Conrad Black: That will happen at the same time my doctor starts reimbursing me for a two hour wait in his office or a mistaken/late d...
  • Conrad Black: The same people that pay for any other services/products the organization provides...
  • Anonymous: The SamSam ransomware has been around for 2 years... shame on Allscripts for not patching their main servers to allow at...

Sponsor Quick Links