Home » Readers Write » Currently Reading:

Readers Write: The Increasing Enforcement of HIPAA and What It Means To You

September 25, 2013 Readers Write 1 Comment

The Increasing Enforcement of HIPAA and What It Means To You
By Kent Norton

9-25-2013 6-35-21 PM

Since the inception of HIPAA and its enforcement, there have been nearly 100,000 cases or complaints investigated. Among those, many have resulted in fines ranging from thousands of dollars to more than two million. Today the fines have a cap per penalty and per calendar year, restricting the fines to $50,000 per penalty and $1.5 million per calendar year.

Fortunately, the Office for Civil Rights has allowed entities to correct the aberrations of noncompliance within 30 days if the failure to comply was not willful neglect. The likelihood that your organization is audited is small when considering that in 2012 only 150 entities were scheduled to take place. The main issue of concern is that a patient, for whatever reason, will file a complaint about HIPAA noncompliance.

With the addition of the HITECH amendments in 2009, HIPAA enforcement has been on the rise, with more than five times as many cases settling after 2009 than before 2009. HITECH has certainly done more to change the face of protected health information or PHI than HIPAA originally did.

For most organizations the first thing that should be scrutinized when considering HIPAA and HITECH compliance is a risk analysis. This is a terribly large task especially when your IT department must do their analysis while still fielding their daily IT requests. Because of the large strain this puts on an organization, a new section in the IT industry has come about to do this type of risk analysis and HIPAA/HITECH compliance implementation. It may be wise to consider employing an IT risk analysis and implementation team in order to help your organization become HIPAA/HITECH compliant as quickly as possible.

The second thing to examine about your PHI is the defense your IT department has against attacks from both internal and external fronts. An efficient and effective PHI defense needs not only intelligent, self-aware, and careful staff and policies, but also complete control of physical data and data transfer. Once these are in place, your IT department can look at how PHI is accessed and the possible avenues hackers would use to bypass the security measures that are in place. One of the most subtle possible leaks of physical data or PHI is often overlooked and that is personal mobile devices. Developing controls and checks to keep PHI from being transferred, copied, or changed via a personal mobile device can greatly improve an organizations risk of noncompliance.

Lastly, inspecting the systems you have in place in order to determine the necessary frequency of periodic risk evaluations and assessments and to develop a monitoring and security mitigation plan. Having these two systems in place will help keep your organization compliant as the IT industry evolves with the changes in health care and technology.

As enforcement of HIPAA continues its upward trend, more and more organizations will need to take a better look at how they have implemented their compliance programs. They’ll need to make sure that they have taken the right steps in order to be safe from the steep fines and penalties that could come as a consequence.

Kent Norton is a HIPAA security analyst with HIPAA One.

View/Print Text Only View/Print Text Only


HIStalk Featured Sponsors

     

Currently there is "1 comment" on this Article:

  1. We are familiar with HIPPA PHI violations. What about enforcement of HIPAA Transaction and Code Set violations. Has there ever been a fine for a T&CS violation? Has this ever been enforced? Use of HCPCS Level III codes are a clear violation of this law, and there are other violations that occur daily. Peter BArry wrote a white paper for WEDI on how Medicare’s DDE violates HIPAA Transaction and Code Set rules, until he was hired by a company that employed DDE connectivity in it’s products. Transaction and Code Set violations may represent a level of risk for both providers and payers. But only if it is enforced. If it is not enforced, why have the law?







Subscribe to Updates

Search


Loading

Text Ads


Report News and Rumors

No title

Anonymous online form
E-mail
Rumor line: 801.HIT.NEWS

Tweets

Archives

Founding Sponsors


 

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gold Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reader Comments

  • Concerned Citizen: Children's minds are amazing! Like you Mr. H, I've seen SNOMED for years and never thought of spelling it backward. Th...
  • Just a Reader: Continuing the blockchain conversation that @DrM and @dysF(n) started on this comments page... I understand how block...
  • HIT Girl: I think I'm going to start applying for random C-level positions now. I won't even bother to read the job description, ...
  • Really???: Getting very Alice-In-Wonderland-y in Trumpville methinks....
  • Epic Employee: Self-scheduling is definitly out there. I personally schedule all my primary care visits through MyChart either on the w...

Sponsor Quick Links