The Department of Health and Human Services’ Office for Civil Rights is expected to issue more HIPAA noncompliance penalties over the coming year. While OCR assists HIPAA-covered entities with their compliance efforts by issuing guidance, 2017 is likely to see OCR crackdown on non-compliance. Organizations found to have violated HIPAA Rules can expect to have to dig deep and pay for their failure to comply with the HIPAA Privacy, Security and Breach Notification Rules.
OCR investigates all PHI breaches that impact more than 500 individuals. While OCR prefers to resolve noncompliance with HIPAA Rules with voluntary compliance and by issuing technical guidance, HIPAA penalties are increasing.
Last year saw a record number of settlements reached with OCR to resolve HIPAA compliance investigations that uncovered violations of HIPAA Rules. 12 settlements were reached and one civil monetary penalty was imposed on a covered entity.
2017 has already seen three HIPAA settlements announced and one CMP. Children’s Medical Center of Dallas was required to pay a civil monetary penalty of $3.2 million to OCR to resolve violations of HIPAA which contributed to PHI breaches in 2010 and 2013. MAPFRE Life Insurance Company of Puerto Rico settled with OCR for $2.2 million to resolve potential violations of HIPAA Rules that contributed to a breach of 2,029 individuals’ PHI in 2011.
A settlement was reached with Presense Health for $475,000 for the late issuing of breach notifications to patients, and most recently, Memorial Healthcare System settled with OCR for $5.5 million to resolve violations of the HIPAA Privacy and Security Rules that resulted in the improper accessing of 115,143 individuals’ PHI.
At HIMSS17, OCR’s Deven McGraw said HIPAA compliance investigations would continue at the levels seen in 2016. We can therefore expect similar numbers of settlements with covered entities in 2017.
It is currently unclear how the appointment of a new secretary for the Department of Health and Human Services will affect the HIPAA compliance audits or OCR’s enforcement actions. Last year President Trump said ‘subtle’ programs may be cut in an effort to make more funds available for tax cuts.
While OCR’s HIPAA compliance audit program may be affected, there is unlikely to be any reduction in HIPAA noncompliance penalties. Those penalties are an additional source of revenue for OCR, with the funds, in part, put towards its HIPAA enforcement activities.
Given the increase in HIPAA noncompliance penalties, healthcare organizations should ensure that HIPAA Rules are being followed. One of the best ways to assess compliance is to conduct an internal HIPAA compliance audit.
It is far better to self-audit and discover potential HIPAA violations and take corrective action than to have OCR investigators identify non-compliance issues. If OCR discovers noncompliance with the HIPAA Privacy, Security and Breach Notification Rules, financial penalties are likely to be issued.