Last year the HHS Office for Civil Rights continued its current phase of HIPAA enforcement in earnest by increasing focus on audits for healthcare providers and business associates nationwide. As a result, 2016 was a record year for HIPAA enforcement actions and settlements with roughly $22,855,300 paid to OCR as a result of HIPAA violations.
While speculation exists that the new administration’s focus on deregulation will eventually lessen HIPAA enforcement, all signs indicate that the OCR has no intention of slowing. The OCR currently has more than 200 ongoing audits for 2017, with five settlements already announced. The most expensive settlement fine in 2017 thus far was $5.5 million, showing the importance of having physical and administrative safeguards in place before government auditors arrive.
When reviewing the infractions of each of the settled healthcare providers, it is easy to see that a lack of preparation for an eventual breach is a central focus for government auditors. Issues most commonly seen were delayed notification processes, the use of unencrypted technology that can be lost or stolen, and a failure to maintain an internal audit structure to help determine security weak points. Each of these issues can result in PHI leaks and are potentially fatal under the scrutiny of a government auditor.
While HIPAA can be a confusing and stressful experience for both healthcare providers and business associates, a self-critical and forward-thinking plan can help ensure compliance. To determine what obligations your business has under HIPAA, consult with an experienced health care attorney.