The Increasing Enforcement of HIPAA and What It Means To You
By Kent Norton
Since the inception of HIPAA and its enforcement, there have been nearly 100,000 cases or complaints investigated. Among those, many have resulted in fines ranging from thousands of dollars to more than two million. Today the fines have a cap per penalty and per calendar year, restricting the fines to $50,000 per penalty and $1.5 million per calendar year.
Fortunately, the Office for Civil Rights has allowed entities to correct the aberrations of noncompliance within 30 days if the failure to comply was not willful neglect. The likelihood that your organization is audited is small when considering that in 2012 only 150 entities were scheduled to take place. The main issue of concern is that a patient, for whatever reason, will file a complaint about HIPAA noncompliance.
With the addition of the HITECH amendments in 2009, HIPAA enforcement has been on the rise, with more than five times as many cases settling after 2009 than before 2009. HITECH has certainly done more to change the face of protected health information or PHI than HIPAA originally did.
For most organizations the first thing that should be scrutinized when considering HIPAA and HITECH compliance is a risk analysis. This is a terribly large task especially when your IT department must do their analysis while still fielding their daily IT requests. Because of the large strain this puts on an organization, a new section in the IT industry has come about to do this type of risk analysis and HIPAA/HITECH compliance implementation. It may be wise to consider employing an IT risk analysis and implementation team in order to help your organization become HIPAA/HITECH compliant as quickly as possible.
The second thing to examine about your PHI is the defense your IT department has against attacks from both internal and external fronts. An efficient and effective PHI defense needs not only intelligent, self-aware, and careful staff and policies, but also complete control of physical data and data transfer. Once these are in place, your IT department can look at how PHI is accessed and the possible avenues hackers would use to bypass the security measures that are in place. One of the most subtle possible leaks of physical data or PHI is often overlooked and that is personal mobile devices. Developing controls and checks to keep PHI from being transferred, copied, or changed via a personal mobile device can greatly improve an organizations risk of noncompliance.
Lastly, inspecting the systems you have in place in order to determine the necessary frequency of periodic risk evaluations and assessments and to develop a monitoring and security mitigation plan. Having these two systems in place will help keep your organization compliant as the IT industry evolves with the changes in health care and technology.
As enforcement of HIPAA continues its upward trend, more and more organizations will need to take a better look at how they have implemented their compliance programs. They’ll need to make sure that they have taken the right steps in order to be safe from the steep fines and penalties that could come as a consequence.
Kent Norton is a HIPAA security analyst with HIPAA One.