HIPAA Enforcement in 2015Greg Garner
HIPAA had significant changes in their leadership and approaches for the Office of Civil Rights (OCR). With that in mind, there will be a lot of activity on the HIPAA homefront this year. The OCR is responsible for a number of regional offices and enforcement efforts which are due to take place this year, but the office has its own challenges. There have been at least five leadership changes within the agency, which could pose significant problems as the HITECH Act and other pieces of the HIPAA enforcement guidelines come into review.
Although there have been some enforcement actions and decisions made that have made an example of certain organizations, it is questionable whether or not OCR will take an aggressive approach to enforcement and reaching settlement agreements. According to figures on the website, there are currently over 6,000 privacy and security rule complaints under investigation, which puts pressure on the agency to take serious enforcement actions.
The HITECH Act poses another issue, as the jurisdictional oversight now expands to business associates and developing tools for enhanced enforcement of the rules. Even with these protocols in place, major provisions of the HITECH Act has not yet been adopted, or are still in development which pulls the remaining provisions of this act that are supposed to be implemented this year into question.
The HITECH Act has a number of rules that must be followed, including an accounting of unauthorized disclosures. In 2013, the Privacy and Security Tiger Team made recommendations on the scope of the rule, but the team has since disbanded, with no word on where things stand.
While this may give some covered entities and their business associates more time to get in compliance, there is no doubt that the OCR is in full enforcement mode. Making sure your organization has all the documentation, training and security protocols in place is an important part of compliance. Keeping PHI secure and employing measures to protect your device usage is also a significant part of your risk assessment plan that may be evaluated by the OCR if your organization is selected for an audit. The HHS has a number of tools and resources on their website that will prove useful in the development of strategies and protocols that will assist in abiding by the regulations of compliance.
Making sure the administrative arm of your organization is instrumental in putting every employee on notice and hiring the right compliance officers to handle HIPAA compliance is essential. Being proactive in getting your organization in order will help in avoiding costly penalties as the OCR takes shape and begins their regulatory infraction procedures which can not only cause severe financial penalties, but will put your organization in jeopardy of non-compliance which has other adverse effects.
Finally, make sure every business associate you conduct transactions with has a contract in place that specifically states they are not an entity of your organization, but an independent contract to avoid being penalized for their non-compliance, if that should occur. Make compliance under all new rules of HIPAA a main priority within the organization as a good standard business practice.