Noncompliance with HIPAA can come with a massive cost for healthcare groups, yet even though the fines for HIPAA violations can be considerable, many healthcare groups have substandard compliance programs and are breaching multiple aspects of HIPAA Rules.
The Department of Health and Human Services’ Office for Civil Rights (OCR) remarked that the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered bodies.
Those desk audits showed that many healthcare groups are either struggling with HIPAA compliance, or are simply not doing an adequate amount to ensure HIPAA Rules are followed.
The preliminary outcomes of the desk audits, released by OCR in September, showed healthcare groups’ compliance efforts were largely inadequate. 94% of groups had inadequate risk management plans, 89% were rated as insufficient on patients’ right to access their PHI, and 83% had carried out inadequate risk analyses. It would appear that for many healthcare groups, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still being experienced in lots of places.
A few years ago, the danger of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were noticed, OCR rarely issued fines. Similarly, even though the HITECH Act permits state attorneys general to apply fines for HIPAA violations, relatively few have used that right.
Today, the danger of HIPAA breaches being discovered is much higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are reviewed by OCR.
The increase in cyberattacks on healthcare organizations mean data breaches are now far more likely to happen. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare groups have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have suffered a cyberattack.
OCR reviews all breaches of more than 500 records to determine whether HIPAA Rules are being adhered to. When a breach happens, groups’ HIPAA compliance programs will be looked into.
OCR has also enhanced enforcement of HIPAA Rules and financial penalties are far more regular. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties applied.
OCR has yet to reveal whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to ignore major HIPAA failures. Multiple breaches of HIPAA Rules could well see fines pursued.
The higher chance of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be noticed. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are adhered to?