Healthcare News & Insights

Is your hospital ready for even more HIPAA enforcement?

Hospitals will have to step up their HIPAA compliance efforts because the coming year will see a massive crackdown on violators by federal regulators.  496237855

Since the government made it mandatory to report HIPAA violations, data has shown that nearly one in 10 Americans have had their protected health information (PHI) exposed through healthcare provider data breaches. In fact, since 2009, the U.S. has seen a little over 1,000 PHI breaches affecting at least 500 patients, and over 100,000 breaches that involved less than 500 patients.

The cost of noncompliance

It’s no wonder then that the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) are planning on stepping up HIPAA enforcement on all sides. According to Modern Healthcare, Attorney Jerome Meites, who has been working with HHS, believes the OCR is increasing enforcement through fines and settlements on larger organizations to scare facilities into compliance. As FierceHealthIT notes, HIPAA audits will become more focused and likely carry higher financial penalties once they return next Fall. Although providers may see fewer on-site audits as part of the enforcement effort, facilities should still be concerned. Currently, the OCR is still choosing which healthcare providers will be audited, so anyone is fair game. And the financial cost will be steep. Especially considering that Meites remarked the recent $4.8 million settlement would be “low compared to what’s coming up.”

Steps to security

Thankfully, in the most recent congressional report on breaches occurring between 2011-2012, the OCR includes a “Lessons Learned” section. The report assists providers and facilities by explaining how past breaches occurred and where PHI was stored when it was compromised. The “Lessons Learned” section tries to help healthcare providers by using the data to show what parts of their operations may be vulnerable, and what steps can be taken to secure them. It made the following recommendations:

  • Perform and document regular and thorough risk assessment audits. Pay close attention to potential vulnerabilities with mobile devices like phones, USBs, digital copiers and laptops
  • Evaluate security during changes in operations, for example, mergers and acquisitions, and
  • Develop proper PHI disposal procedures for your facility, as well as for outdated PHI your business associates may have access to.

Keep in mind, HIPAA penalties can sometimes be reduced when facilities can show they had proper safeguards in place to prevent breaches, or if they take immediate steps after a breach to repair vulnerable areas. A section of the OCR’s report explains what led to some of the larger violations and what the settlements entailed. Some of the measures performed by others were:

  • Revising policies and procedures
  • Improving physical security by installing new security systems or by relocating equipment or records to a more secure area
  • Training or retraining workforce members who handle PHI
  • Providing free credit monitoring to customers
  • Adopting encryption technologies
  • Changing passwords, and
  • Revising business associate agreements.

 

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.