CAN YOUR PRACTICE DEMONSTRATE HIPAA COMPLIANCE?
…TRENDS SUGGEST COMPLIANCE REVIEWS ARE ON THE RISE
Because the Office for Civil Rights (OCR), the governmental agency responsible for enforcing HIPAA, is increasing its audit activities. OCR, who reports to the U.S. Department of Health and Human Services (HHS), enforces HIPAA through 2 primary channels: (I) by investigating reported breaches of violations of HIPAA or complaints, and imposing Civil Monetary Penalties (CMPs) and (II) initiating audits of healthcare organizations.
In addition to having CMPs imposed on the practice you will be required to maintain a costly corrective action plan that will be monitored by OCR, and in blatant cases individuals could receive criminal charges. As of February 2017, OCR has collected over $67 million in HIPAA violation settlements. The latest case involving Memorial Healthcare System (MHS) cost the organization $5.5 million for a data breach impacting 115,143 patients. The login credentials of a former employee of MHS were not revoked timely. This former employee accepted a new position at an affiliated physician’s office and improperly accessed the electronic Protected Health Information (ePHI) maintained by using their MHS credentials. A more recent case involved a provider fine of $400,000 after a hacker obtained ePHI on 3,200 individuals. This provider performed its risk assessment post-breach only to find out their controls were insufficient to comply with the Security Rule.
According to OCR enforcement results, Private Practices have the highest frequency to take corrective actions to achieve voluntary HIPAA compliance. According to OCR, the following are the most common violation investigations: (I) impermissible uses and disclosures of ePHI, (II) lack of safeguards of ePHI, (III) lack of patient access to their ePHI, (IV) use or disclosure of more than minimum necessary ePHI, (IV) lack of administrative safeguards of ePHI.
In 2016, the OCR expanded its next phase of audits of covered entities and their business associates. OCR will notify organizations who will have 10 days to respond by uploading documented policies and procedures to formally illustrate technical, administrative and physical safeguards as well as other HIPAA controls (i.e. Notice of Privacy Practices (NPP), Provision of Notice, Right to Access, Security Management Process – Risk Analysis, Security Management Process – Risk Management, Timeliness of Notification and Content of Notification). Unprepared covered entities and business associates who have not performed an effective security risk analysis and don’t have evidence of implementation will be subject to OCR’s comprehensive audit protocol. If your organization cannot show documented compliance your practice will most likely be exposed to a full, onsite audit and you will be expected to deliver a corrective action plan.
Let Us Help You
Oasis Practice Solutions, Inc. can perform a security risk assessment, provide a remediation plan, recommend policy and procedure changes, engage your associates for training, explain their responsibilities and help your organization stay on track by maintaining a culture of HIPAA compliance to avoid all CMPs and OCR mandated corrective action plans.