The U.S. Department of Health and Human Services (HHS) intends to use higher fines and a new round of audits to send a strong message to the healthcare industry about complying with the Health Insurance Portability and Accountability Act (HIPAA).
Jerome B. Meites, a chief regional civil rights counsel at HHS, expects "the past 12 months of enforcement to pale in comparison to the next 12 months." His recent comments signal more aggressive punishment for privacy breaches and security lapses, and a more extensive HIPAA audit strategy by HHS’ Office of Civil Rights (OCR).
Meites noted the enormous number of complaints to OCR about lost or stolen unencrypted devices or media. Despite OCR’s continuous warnings to covered entities and their business associates about their obligation to ensure the security of information on these devices, many have yet to perform a comprehensive risk assessment and remain unaware of the potential dangers. Meites emphasized the government's concern about these issues, stating that both portable-media devices and an entity's failure to perform a comprehensive risk assessment were factors in many data-breach cases that resulted in significant financial settlements.
Risk-assessment procedures are expected to be a primary focus when OCR continues its HIPAA compliance audit program later this year. OCR has identified approximately 1,200 companies — about 800 covered entities (healthcare providers, insurers and clearinghouses) and 400 business associates — for potential HIPAA audits.
Enhanced enforcement efforts and the new round of audits highlight the importance of complying with the strict standards imposed by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act for the protection and privacy of certain health information.
Entities can help avoid increased regulatory scrutiny and potential costly violations by ensuring they have both a strong HIPAA training program and a well-informed workforce.