Why HIPAA enforcement will get stronger in 2016
We’ve been saying for the last couple of years that many more HIPAA audits from the Office of Inspector General (OIG) were sure to be heading our way. But of course we’re an IT Support company, serving the healthcare industry, so you might expect us to say that.
But then I came across this prediction from Elizabeth Litten and Michael Kline and I just had to include it here:
“In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare - such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission - also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.”
If that prediction comes true, and we believe it will, we want to talk about some things healthcare providers should be doing in light of this.
Identify and Close HIPAA Compliance gaps
Based upon an article in the National Law Review, the Department of Health and Human Services (HHS) and Office of the Inspector General (OIG) issued a report recommending stronger oversight of Covered Entities (CE) and Business Associates (BA). This is in response to HIPAA and what happened in 2015, which was a record setting year in terms of breaches.
Specifically the report called for stronger regulation around businesses, and how they comply with the privacy and security rules and breach reporting. What mechanisms are in place? Do they understand the law? These are fundamental pieces and problem areas stemming from this report
Essentially, HIPAA resolutions and corrective actions are up every year since 2009. The Department of Health and Human Services is talking and planning about increasing enforcement.
What’s going to happen this year?
The question becomes, what’s going to happen in 2016? From 2004 to 2014 there has been a 300% increase in the number of complaints they have received. And this was before last year, 2015, when a record number of breaches occurred.
Phase 1 Findings
Going back to 2011, the Office of Civil Rights (OCR) began the Phase 1 pilot program. This was focused on covered entities, in which they randomly audited about 100 covered entities, and a combination of healthcare plans, health care providers and clearing houses. Phase 1 wrapped up in 2013 and the OCR released its findings and lessons learned. Here’s the highlights:
• 2/3 of entities had no complete or accurate Risk Assessment program.
• 44% of Privacy Rule deficiencies involved disclosures of ePHI
• 58 out of 59 healthcare providers had at least 1 negative finding relating to the security Rule
To say the least, the Phase 1 pilot program found some problems, from the get go.
The Findings of the OIG Report, which led to the Phase 2 Audit stated,
“In about half of the closed privacy cases . . . covered entities were noncompliant with at least one privacy standard.”
They recommend the OCR beef up its oversight
They had 5 recommendations which said the OCR should . . .
• Implement a permanent audit program
• Keep documentation of corrective action
• Improve method of tracking cases
• Check CE HIPAA investigation history
• Expand outreach and education to CE’s
In our next post will talk about Phase 2 Audits
Achieve, Illustrate and Maintain Compliance
From personal experience, we can attest to this fact: Achieving, Illustrating to an auditor and Maintaining regulatory compliance is costly and time consuming. There is no doubt about this. But non-compliance can prove even more costly if you ignore it and fail an audit.
Under the new HIPAA, HITECH Omnibus rule, fines from the OCR now range from $100.00 up to $1,500,000.00 depending on an organization’s response to the auditor who requires visible, demonstrable evidence of compliance.
DTS InfoTech Can Help
Many health care providers are not HIPAA Compliant. If this describes you, we can help you Achieve compliance, Illustrate compliance to auditors and Maintain full compliancy.
For more information: www.dtsinfotech.com/hipaa-compliance-for-small-health-care-practices-2/
Dedicated to your success,
General Manager and Compliance Officer
dts|infotech . . . computer networks that work