HIPAA enforcement increased dramatically in 2016. The Office for Civil Rights (OCR) collected $23.5 million in fines compared to the $7.4 million in 2014. This record breaking year also saw the single largest fine administered by HIPAA to Advocate Health Care System of $5.5 million. Shortly after the Memorial Healthcare System was fined $5.5 million.
How the 2016 HIPAA Enforcements Affect You
In the years to come, you may wonder if 2016’s increase in HIPAA enforcement is the new norm. Under the previous administration, there was a large increase in the budget for Health & Human Services (HHS) that made the enforcement possible. It’s hard to predict whether this increase in enforcement will carry into 2017. Whether there is an increase or not your organization should prepare.
Here is what you need to know about how this may affect your organization.
OCR Initiative Increases Regional Offices Investigator & Enforcement Authority
In 2016, the OCR launched a new initiative meant to give their regional offices increased investigatory and enforcement authority. A breach impacting fewer than 500 individuals will be investigated by a regional office. These breaches will be prioritized according to:
- The size of the breach
- Amount of Private Health Information (PHI) leaked
- Involvement of theft
- Breach caused by cyberattack
- History of breaches
This increase in involvement for regional offices means that smaller breaches will be under more scrutiny than ever before.
Phase Two HIPAA Privacy, Security and Breach Notifications Audit
In 2017, phase two of the “HIPAA Privacy, Security and Breach Notification Audit” will continue as planned. This audit began in July 2013, when 167 covered entities were selected to take part in initial desk audits. This audit is being performed on a cross section of the healthcare sector. Phase two is the onsite portion of the audit for those selected organizations. The HIPAA controls that will be focused on during the audit, according to A Look Back at a Year of Record Setting HIPAA Enforcement, by David Saunders of Law 360, include:
- Notice of privacy practices
- Provision of notice of privacy practices/rights
- Patients’ rights of access
- Timelines of breach notification
- Content of breach notification
- Risk Analyses
- And risk management procedures
Business Associate Agreements Under Scrutiny
During the 26th National HIPAA Summit in Washington, D.C., one of the speakers, shared that, “Many business associates are not in compliance with the HIPAA security rule…” It is important to pay attention to the documentation requirements for your Business Associate Contracts. It is expected that the OCR audit program will learn more about the trend for non-compliant business associate agreements.
Looking Ahead to 2017 HIPAA Enforcement
It is unclear how budgetary changes could affect the OCR’s enforcement in 2017. There should be plenty to pay attention to for this year, including the audit, increased regional office authority, and business associate agreements under intensive scrutiny.
Our recommendation is to speak with a compliance expert about conducting an internal audit. Crossroads experts are equipped to create an expedited plan to bring your organization into compliance with HIPAA. Contact us using the form below to begin preparing for the new year of HIPAA enforcement.