Office for Civil Rights Director announces intention to use harsher investigative tools to hold bad actors accountable
SANTA MONICA, CA, UNITED STATES, October 31, 2018 /EINPresswire.com/ — In 2011, The Department of Health and Human Services’ Office for Civil Rights (OCR) began auditing healthcare providers and business associates to determine overall compliance with HIPAA’s privacy and security laws. At a recent HIPAA security conference, OCR Director Roger Severino announced that the next round of examinations will be focused on enforcement and the upcoming audits will use harsher investigative tools to hold bad actors accountable.
Enforcement for noncompliant offenders may include subpoenas, legal action, reimbursements to victims, penalties, and more. Additionally, Bloomberg Law recently reported that OCR has been ratcheting up enforcement actions over the past three years, and as random HIPAA audits occur, increased penalties will most likely result.
Jeff Broudy, CEO of PCIHIPAA states, "Overall we see less than 20% of all practices and business associates have implemented the safeguards required under HIPAA. In preparation for the next wave of HIPAA audits, we are providing all healthcare providers and their business associates complimentary risk assessments and reviews so they clearly understand what is required, and to help identify the right actions to take in case of an audit."
Under the HIPAA Notification Rule, covered entities that experience a HIPAA data breach must self-report the breach to HHS. Some practices aren’t aware of the rules, so audits will help with compliance and overall enforcement. Penalties are no longer immaterial. Average fines range from $100 to $50,000 per HIPAA violation, and are capped at $1.5 million per year.
HIPAA compliance must be addressed continuously. It’s not a checkbox or a “one and done” process. Also, the same HIPAA safeguards required by a hospital or a health plan also apply to dentists, doctors, and their business associates. Anthem’s recent $16 million dollar HIPAA fine, and Mr. Severino’s position above, should be a warning to all healthcare providers and business associates.
OCR’s recent audit results show a lack of compliance throughout the industry. Recurring non-compliance issues include:
¥ Lack of execution of Business Associate Agreements
¥ No HIPAA security risk assessment on file
¥ A failure to manage identified risks
¥ Lack of transmission security
¥ Lack of appropriate internal auditing
¥ No patching of software
¥ Insider threats
¥ Improper disposal of Protected Health Information (PHI); and
¥ Insufficient data backup and contingency planning
Common risk mitigation and corrective action plans that covered entities and business associates may be required to incorporate for compliance include:
¥ Updating risk analysis and risk management plans
¥ Updating policies and procedures
¥ Training of workforce members
¥ Implementing specific technical or other safeguards
¥ Mitigating common risks like utilizing encryption solutions
¥ Improved employee and system monitoring
Broudy adds, "HIPAA requires documented remediation plans. We find this important, yet cumbersome for many dentists and doctors. Often they don’t have the resources that hospitals and larger entities possess. Not only does PCIHIPAA provide a compliance roadmap for healthcare providers, but we also include $500,000 in cyber insurance for all of our clients. HIPAA audits, ransomware attacks, data breaches, and network security incidents happen. We guarantee our clients are covered, just in case."
About Office for Civil Rights:
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy.
PCIHIPAA is an industry leader in PCI and HIPAA compliance by providing turnkey, convenient solutions for its clients. Its OfficeSafe Compliance Program is “award winning” and takes the guesswork out of compliance while providing the assurance and insurance healthcare providers need to protect their future. PCIHIPAA was recently voted one of the Top 10 Healthcare Compliance Company’s of 2017. Learn more at OfficeSafe.com and PCIHIPAA.com
email us here
Source: EIN Presswire