Second Phase of HIPAA Compliance Audits Likely to Penalize the Noncompliant
Healthcare organizations will pay a big amount for noncompliance with HIPAA Rules. Despite the hefty penalties for HIPAA violations, many healthcare providers do not bother about their noncompliance and violate several aspects of the HIPAA Rules. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) already began the second phase of HIPAA compliance audits. Healthcare organizations were first subjected to desk audits. Next will be the business associates of covered entities. The desk audits confirmed the fact that a lot of healthcare organizations are still struggling with HIPAA compliance, while others simply do not exert enough efforts to follow the HIPAA Rules.
According to the preliminary desk audits report issued by OCR in September, noncompliance of healthcare organizations with HIPAA is still widespread. About 94% of organizations do not have risk management plans, 89% had inadequate ratings when it comes to giving the patients access to their PHI and 83% did not perform adequate risk analyses. Nothing much has changed for many healthcare providers since 2011/2012 when the first phase of compliance audits was conducted.
In the past, the risk of being discovered as a HIPAA violator is quite low. If HIPAA violators were caught, it was very unlikely that OCR issued financial penalties. Even if state attorneys general can issue fines for violating HIPAA under the HITECH Act, not many were penalized. Today, the risk of being caught for violating the HIPAA is higher. That is because patients are more aware of their HIPAA rights now and filing a HIPAA violation complaint is quite easy. OCR investigates all HIPAA complaints including breaches involving over 500 records. The first thing OCR scrutinizes is the organizations’ HIPAA compliance program.
The enforcement of HIPAA Rules is stricter now and it is more common to see the issuance of financial penalties. Since January 1, 2016, there were 20 settlements between OCR and covered entities or business associates and two civil monetary penalties. OCR did not give a statement yet if they will be issuing financial penalties to those who fail the HIPAA audits. But one thing is sure OCR will not tolerate noncompliance especially multiple violations.