HIPAA laws continue to be violated with data breaches occurring in covered entities and by their business associates. With so many rules and regulations, and so much data being transmitted and, recorded, can HIPAA enforce civil or criminal penalties with so many organizations both knowingly and unknowingly in violation on a frequent basis?
Data breaches continue to rise, with data security methods proving ineffective at keeping violations at bay. In 2014, there were 11,840,968 violations through the end of July according to the HHS, which includes the record breach by CHS in August. One of the main reasons for continued violations is the lack of critical infrastructure software, which can be costly to not only maintain, but in frequent updates. There are a number of violations that go unreported every year, and covered entities who do not have sufficient security protocols and officers in place keep HIPAA compliance intact.
One of the main problems with HIPAA compliance is the process. There are many organizations who still do not understand everything that needs to take place and how it could affect their facilities. These covered entities are having a hard time adapting to the frequent changes within the laws, and in the implementation of software that will assist with the infusion of new technology and software that is needed to combat cybercrimes.
One of the main concerns is that in cyberspace, how will organizations be able to safety determine that their online protocols are working correctly? With the use of technology on smart devices and their usage within the healthcare setting, it is difficult to determine whether or not software or apps being used are fully compliant. There is no specific protocol in place to check the viability of applications and software being used in the cloud, and the prevalence of PHI being compromised from an online server is much greater than the risk within the facility. Although having a 3rd party confirm the security of an organization’s online use and protection of PHI, this is not a set standard at the moment.
Additionally, organizations that do not have a compliance officer on hand often miss the mark on compliance, as their resources are pulled from a number of places instead of compliance being handled by that one department. As the laws continue to take shape and enforcement becomes a huge issue, this will hurt many organizations.
These are indications that there are serious problems within the compliance methods for HIPAA which will continue to grow. Once the OCR start their regulatory efforts and issuing penalties and fines, organizations will make a more concerted effort in putting protocols in place to ensure total compliance. Making sure your organization is taking all the necessary steps to develop, enforce and maintain HIPAA compliance is one of the most important things you can do. It is important to work toward implementing procedures that work effectively on and off-line to ensure the security of your organization and the safety of PHI.