Since the first installation of the HIPAA Law in 1996, medical practice HIPAA enforcement cases have been low and adaptation throughout the medical industry has been slow. However, according to government records, the number of PHI breaches and cases has increased ten fold since the installation of the newest law enacted in 2003. Since that time, there have been a total 90,000 reported complaints, 85,000 case resolutions, and 32,000 investigations through the department of justice.
These 32,000 investigations seem very high but compared to the number of medical practices and patients in the country the number is incredibly low. Because of this, medical professionals and business associates of medical practices are generally unfazed and taking only the minimum required actions, usually based on the law enacted in 1996. But this is a mistake because with the OMNIbus act in effect as of September 23, 2014, OCR is ramping up a wave of government audits and investigations into complaints filed with the agency. This leaves previously covered entities susceptible to investigations and fines in three main areas: Security breaches of PHI, failure to implement the proper security measures to protect PHI, and failure to cooperate with patients in regards to PHI.
Security Breaches of PHI
The first of the three areas, security breaches of PHI, is the easiest way to be fined as there are so many different portals that handle personal health information and can possibly be breached. The rule states that you are responsible for all components that are susceptible to HIPAA violations, including digital platforms, employees, and every component that handles and transfers personal health information. The penalties for these violations tend to be larger than any of the other issues because these problems are either improperly reported, or hidden until found by investigators. It is imperative to report all breaches as enforcement ramps up, because if OCR finds it, the costs are much higher.
Failure to Implement the Proper Security Measures to Protect PHI
The second area, failure to implement the proper security measures to protect PHI, are violations that will largely be exposed under upcoming government audits. This is the violation that a majority of the medical industry is in danger of because many organizations from large entities to small practices are either unaware of new HIPAA stipulations that have been enacted since 2003, or have not taken the steps to enforce them. As enforcement increases, all medical entities and business associates are responsible for the implementation of these rules, and as random audits become more frequent, these entities will be fined. Therefore, it will save you and your organization a lot of money and time to implement required security measures now.
Failure to Cooperate with Patients in Regards to PHI
The last area, failure to cooperate with patients in regards to PHI, is the most common form of HIPAA enforcement. This shown by OCR data that states “Impermissible Uses & Disclosures” as the number one issue in investigated cases. As can be seen by the 90,000 complaints since the 2003 law change, patients are the largest reason that entities face investigation. Such as the case with Cignet Health, who refused to grant their patients access to medical records as well as refused to cooperate with OCR investigators, and were fined a whopping $4.3 million. Therefore, it is important for organizations to see that not only do they need to take the property security measures to protect PHI, but they also need to cooperate with patients when it comes to accessing to their own personal health information.
So, regardless if you are a covered entity or a business associate, it is important that you recognize all components of the HIPAA law and effectively implement them into your system. OCR is prepared to increase investigation and HIPAA enforcement now that all rules have come into full effect. Protect your company while protecting your patients.
Embed this infographic on your site.