OCR has been repeatedly emphasizing the need to secure health records in order to prevent data breaches. But quite alarmingly, a large number of healthcare providers are yet to implement data security policies and procedures. Health data breaches have been growing at a disturbing rate, and several recent reports and government statements indicate that it is high time covered entities and their business associates took a close look at their data security status and policies and procedures in order to implement new ones or modify existing ones if necessary. There have been enough warnings issued by the government so far, and OCR is now all set to increase enforcement measures and impose large financial penalties wherever required.
OCR has been offering lessons to the healthcare industry over the past few years emphasizing the areas where compliance is required. This was done using several methods, one of which was the first round of HIPAA audits that demonstrated that there was widespread failure to comply. The second method used was a judicious imposition of monetary penalties. Here, OCR chose a particular compliance issue such as encryption, or breach notification policies, and imposed penalties on those that failed to meet these requirements.
The third big step was the promulgation of the HIPAA Omnibus Rule. This rule was put in place with modifications called for by the HITECH Act. Once these final standards came into effect, covered entities and their business associates had to fully implement the necessary policies and procedures, and could not argue that they were waiting for the government’s final rule to come into effect. OCR also provided guidance on some important aspects of the Omnibus rule.
These steps clearly indicate that OCR is very serious about enforcing HIPAA. Three recent occurrences also demonstrate this fact. On June 10th, OCR posted its 2011 and 2012 reports about the breach notification program and compliance with privacy and security rules. These reports provide a glimpse into the issues that OCR sees with HIPAA compliance, and describe the types of breaches that have occurred and the number of individuals affected by these breaches. These details highlight the need to have a robust compliance plan and program in place. Moreover, the reports also bring out the most common causes of breaches including lack of security and encryption.
Also, in a recent conference of American Bar Association Health Law Section, a Chief Regional Civil Rights Attorney from OCR warned healthcare entities that HIPAA enforcement is likely to increase dramatically. And with the increase in enforcement, the monetary penalties are also likely to go up significantly. Following this statement, OCR announced its latest settlement on June 23rd, where Parkview Health System Inc. was fined $800,000 for dumping medical records on a physician’s driveway. Although this violation occurred back in 2009, the security requirements of HIPAA were not new back then, and protected health information was subject to HIPAA even then. Hence there was a clear obligation to protect health data, which the entity had failed to do.
These events have reinforced the need to comply with HIPAA guidelines immediately if entities have not already done so. Firstly, an assessment of the compliance status is necessary to understand what policies and procedures are in place and whether they are adequate and effective. If required, new policies and procedures should be implemented, and entities can seek external help from advisors, peers, consultants, and other security experts to get a HIPAA compliance program into shape. They can also adopt a complete data security solution such as Aegify Security Posture Management or Aegify SecureGRC or Aegify Risk Management for a comprehensive view of their security and risk posture, and end-to-end compliance support.
But one thing is very clear at this point. Covered entities should act immediately. OCR will begin a new audit program soon and may try to recover enough money from defaulting entities to keep the program running. So, healthcare entities can leave no stone unturned in trying to demonstrate complete compliance with HIPAA. They have to look in the mirror, and do what is necessary at the earliest.