HIPAA has been in place for some years now, and the Office for Civil Rights (OCR), the agency charged with carrying out the legislation, is having its busiest year ever. Not only is the OCR becoming more aggressive about enforcing the regulations, they’ve now expanded their enforcement efforts to all businesses the rules cover.
As you may already know, HIPAA’s patient information protection rules were officially implemented for Covered Entities (CEs) like medical offices and hospitals in 2003, with cybersecurity rules following in 2005. However, it wasn’t until 2013 that Business Associates (BAs), like accounting, transcriptionists, etc., that work with CEs and handle their patient data also became responsible and liable under the same privacy and cybersecurity regulations.
Now everything is starting to catch up and the enforcement phase is beginning for BAs. Those who thought they were doing “enough” to protect patient data may soon get a rude awakening as the OCR starts seeking out and reviewing the policies and procedures of BAs nationwide. And if your company isn’t in full compliance, you’ve got more to worry about than just the here-and-now. Should they discover compliance violations, the OCR can go back to the official implementation of the regulations in 2013 to levy fines retroactively.
Enforcement and Fines Have Become Serious Business!
So far this year the OCR has entered into almost twice as many settlement agreements as they had in the previous two years combined, and levied three times the amount of fines for the same time period.
In July, the OCR sent out notifications to random CEs, notifying these organizations that they had ten days to supply documentation of their HIPAA compliance. For those who have an appropriate HIPAA protocol in place, while a bit of an inconvenience, this request should be no more difficult than running a few reports. But for those who haven’t established or followed proper policy and procedure, these letters can be quite the headache, both in terms of the work needed to produce the requested information and in potential fines. The OCR is reviewing that paperwork now and is about to begin another round of compliance requests in October that will include BAs for the first time ever.
But really, how bad could it be? Let’s look at an example of one of the most common violations. A medical office (the CE) hires an outside firm (the BA) to perform billing. The CE is providing confidential patient data to the BA, and is therefore required to put a formal BA agreement into place. If they do not, from that day forward there are two separate, fineable violations:
- No formal BA agreement when giving confidential patient data
- Unauthorized patient information disclosure (since the BA now has the data without an agreement)
For each day the BA has the data, the standard fine is $1100 per day per violation, a figure that has recently been increased from $1000 per day per violation. In this instance, if the violation is uncovered 160 days later, the fines could be $2200 a day, for a total of $352,000! And this is for the typical “Oops! We didn’t know not to do that!” sort of mishap. If the OCR finds there was willful neglect, fines can be set at a minimum of $50,000 a day! Really.
When the OCR conducts an investigation and finds violations, the calculations they come to are what the fines could be under HIPAA law. Most investigated organizations, however, usually negotiate a settlement so that they don’t have to pay the full fine amount. That’s not to say it isn’t a serious financial issue though: one recent violation was settled for the “discounted” amount of $650,000. The OCR took into account that the CE helped underserved populations of the poor and HIV-positive community, so that was actually cutting them a special deal! Really.
OCR’s Next Step: On-Site HIPAA Audits
After the first of the year, OCR will begin conducting on-site audits under their new random audit program. These aren’t intended as enforcement measures necessarily, but rather as an effort to evaluate the status of security in the medical industry. However, the OCR has stated that if their audits uncover serious problems, they may begin an investigation and at that point the endeavor will become enforcement-focused.
Given the prospect of an on-site audit, you may want to consider getting very serious about HIPAA compliance now, especially if your efforts to comply with the many aspects of the law haven’t been as diligent as they could be. Rest assured that these audits will be exceedingly thorough; they will shine a light up every orifice you’ve got! (Pun intended for certain medical professions.)
If that sounds uncomfortably invasive, good! Do whatever it takes, whether that’s devoting substantial internal resources or consulting a professional, to get your HIPAA ducks in a row now, before you’re subjected to a probing examination that could be costly as well as embarrassing.
If you’d like to learn more about Kardon Compliance’s take on the evolution of HIPAA and the best way to comply with it, check out our podcasts that discuss various aspects of the law:
- OCR Small Breach Investigations
- OCR Desktop Audit Details
- OCR Settlements Keep Coming in 2016
- OCR Resolution Agreement with OHSU
- HIPAA Enforcement 2016
- Enforcement of HIPAA is Changing
- Business Associate Security Issues
Donna Grindle is the owner and president of Kardon Compliance. Her 30 years of professional experience include such titles as titles such as Programming Manager, Customer Support Manager, Director of Operations and Vice President of Operations before starting her own technology company in 1998. Donna has helped many kinds of small businesses over the years, with an extensive background in the Healthcare IT niche, and has spent most of her career as an IT Consultant specializing in the private practice and business associates segments of healthcare.