Home » Readers Write » Currently Reading:

Readers Write: The Increasing Enforcement of HIPAA and What It Means To You

September 25, 2013 Readers Write 1 Comment

The Increasing Enforcement of HIPAA and What It Means To You
By Kent Norton

9-25-2013 6-35-21 PM

Since the inception of HIPAA and its enforcement, there have been nearly 100,000 cases or complaints investigated. Among those, many have resulted in fines ranging from thousands of dollars to more than two million. Today the fines have a cap per penalty and per calendar year, restricting the fines to $50,000 per penalty and $1.5 million per calendar year.

Fortunately, the Office for Civil Rights has allowed entities to correct the aberrations of noncompliance within 30 days if the failure to comply was not willful neglect. The likelihood that your organization is audited is small when considering that in 2012 only 150 entities were scheduled to take place. The main issue of concern is that a patient, for whatever reason, will file a complaint about HIPAA noncompliance.

With the addition of the HITECH amendments in 2009, HIPAA enforcement has been on the rise, with more than five times as many cases settling after 2009 than before 2009. HITECH has certainly done more to change the face of protected health information or PHI than HIPAA originally did.

For most organizations the first thing that should be scrutinized when considering HIPAA and HITECH compliance is a risk analysis. This is a terribly large task especially when your IT department must do their analysis while still fielding their daily IT requests. Because of the large strain this puts on an organization, a new section in the IT industry has come about to do this type of risk analysis and HIPAA/HITECH compliance implementation. It may be wise to consider employing an IT risk analysis and implementation team in order to help your organization become HIPAA/HITECH compliant as quickly as possible.

The second thing to examine about your PHI is the defense your IT department has against attacks from both internal and external fronts. An efficient and effective PHI defense needs not only intelligent, self-aware, and careful staff and policies, but also complete control of physical data and data transfer. Once these are in place, your IT department can look at how PHI is accessed and the possible avenues hackers would use to bypass the security measures that are in place. One of the most subtle possible leaks of physical data or PHI is often overlooked and that is personal mobile devices. Developing controls and checks to keep PHI from being transferred, copied, or changed via a personal mobile device can greatly improve an organizations risk of noncompliance.

Lastly, inspecting the systems you have in place in order to determine the necessary frequency of periodic risk evaluations and assessments and to develop a monitoring and security mitigation plan. Having these two systems in place will help keep your organization compliant as the IT industry evolves with the changes in health care and technology.

As enforcement of HIPAA continues its upward trend, more and more organizations will need to take a better look at how they have implemented their compliance programs. They’ll need to make sure that they have taken the right steps in order to be safe from the steep fines and penalties that could come as a consequence.

Kent Norton is a HIPAA security analyst with HIPAA One.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there is "1 comment" on this Article:

  1. We are familiar with HIPPA PHI violations. What about enforcement of HIPAA Transaction and Code Set violations. Has there ever been a fine for a T&CS violation? Has this ever been enforced? Use of HCPCS Level III codes are a clear violation of this law, and there are other violations that occur daily. Peter BArry wrote a white paper for WEDI on how Medicare’s DDE violates HIPAA Transaction and Code Set rules, until he was hired by a company that employed DDE connectivity in it’s products. Transaction and Code Set violations may represent a level of risk for both providers and payers. But only if it is enforced. If it is not enforced, why have the law?

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors


































































Gold Sponsors
















Reader Comments

  • jp: I'm with you on the icebreakers and other "interacting for the sake of interacting" types of things....
  • AynRandWasDumb: Re: VA/Jackson - WOW http://apps.washingtonpost.com/g/documents/politics/ronny-jackson-summary-of-allegations/2922/...
  • Drivin' and Cryin': I witnessed a noted health IT leader do the same "tears after telling a story about how he didn't treat his wife well en...
  • Mr. HIStalk: I agree for a class, where an ongoing relationship is important -- you'll be spending time with the instructor and fello...
  • jp: On the whole conference thing and engaging the audience. If the purpose of a conference (or one of the main purposes) is...
  • MerryMe: Anyone besides me disturbed by the title of the Healthwise webinar listed? "Converting Consumers into Patients" -- Shoul...
  • Justa CIO: Wholeheartedly agree with System CIO's comment. I like him/her do not have time for HIMSS, CHIME, etc., as I am heads d...
  • shh bby is ok: I was taken by the tongue-in-cheek wit of your cartoon above Stealthily Healthily's comment. Then I clicked on it an...
  • Fourth Hansen Brother: My God, 60 is too old? Hint- rapidly aging population. He's not anywhere near retirement age, and CEO tenures are pretty...
  • Lisa Hahn, RN, Org Management/Clinical Strategist: I have seen a mixed bag of tricks for these situations. There is no specific singular “path” for for every organiza...

Sponsor Quick Links