Why You Should Be Concerned About HIPAA Security Rules Enforcement

With data breaches in the healthcare industry increasing exponentially, it's critical for those in leadership positions to get serious about HIPAA security and enforcement. You need to understand not only why HIPAA is important but how the rule enforcement process works and the penalties that can be implemented.

Why Is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) was legislated in 1996 and provides security and data privacy for medical information. The Department of Health and Human Services (HHS) and, in particular, the Office for Civil Rights (OCR) oversee and enforce HIPAA.

While the rules regarding HIPAA may seem complicated, they can be summed up in a few simple statements. These include keeping patients' medical records secure and private. The only people who should have access to patients' medical history documents are the healthcare professionals who have authorization and need to know for a patient's care.

Security and privacy aren't just limited to actual paper records. The regulations also extend to electronic documents and medical information that is discussed verbally. Records are expected to be completely accurate and quickly available to those who need to know the information.

If you're responsible for the security of medical information in your organization it's imperative that you're serious about correctly implementing and enforcing HIPAA regulations. Fines have been imposed, individuals have lost their jobs and offices have been closed when HIPPA has not been followed according to guidelines.

What Is the HIPAA Rule Enforcement Process?

There are several ways in which the Office for Civil Rights enforces the privacy rules set forth by HIPAA.

1. Initial Complaint: A complaint is investigated through a process known as Intake and Review. There may be an immediate resolution depending on these initial findings. For example, if the entity in question is not covered by the Security or Privacy Rule then the complaint is resolved. It may also be resolved if the complaint occurred before a specific time period or if the complaint wasn't filed before 180 days had lapsed and an extension wasn't granted. Sometimes it may be determined that the incident didn't violate the Privacy Rule.

2. Possible Privacy or Security Violation: If it's determined that a violation has taken place then an investigation will ensue. There are several different ways the OCR can resolve each case. They can attempt to resolve any problems with voluntary compliance or they may issue some sort of corrective action. They may also attempt to come to some sort of resolution agreement.

3. Possible Criminal Violation: Criminal matters will likely be turned over to the Department of Justice (DOJ). An organization may face several types of monetary and criminal penalties for HIPAA violations.

Monetary

• If the individual or organization was unaware it was in violation of HIPAA the penalty for each violation could be $100 to $50,000.
• If there was a reasonable cause for the violation and not because of willful negligence, the penalty for each violation could be $1,000 to $50,000.
• If a violation occurred because of willful negligence but within the proper time it was corrected, the penalty for each violation could be $10,000 to $50,000.
• If a violation occurred because of willful negligence and was not corrected in a timely manner, the penalty for each violation could be $50,000 to 1.5 million.

• A potential jail sentence for violating HIPAA unknowingly or even with a reasonable cause could be up to one year.
• There could be a potential sentence of up to five years if the violation occurred under false pretenses.
• There is a possible sentence of up to 10 years if the violation occurred because of malice or personal gain.

Cases of Rule Enforcement

There have been thousands of cases regarding privacy practices that have been investigated by the Office for Civil Rights. Corrective measures have been applied in cases when an investigation has shown noncompliance. According to Enforcement Results, reported by Health and Human Services, a dollar amount reaching $72,929,182 has been imposed or settled in 52 cases. These cases have included hospitals, medical centers and pharmacy chains.

OCR has become more aggressive during the last few years regarding enforcement of HIPAA regulations. There have been several specific cases that have resulted in steep fines.

• In Downers Grove, Illinois, Advocate Health System agreed to payments that totaled $5.55 million. This occurred in August 2016 regarding incidents that happened in 2013. The information of four million people was compromised in a data breach. This is the largest HIPAA settlement to date.
• In New York City, Presbyterian Hospital along with Columbia University paid a combined settlement of $4.8 million for information that ended up on the internet.
• Oregon Health and Science University came to a settlement with OCR for $2.7 million for several incidents, such as failure to encrypt thumb drives and laptops. Such harsh action was taken after it was determined that Oregon Health and Science University had not complied with HIPAA as effectively as possible and had not addressed risks in a timely manner.

These are just a few high-profile cases that have resulted from various HIPAA violations.

The Office for Civil Rights is serious about enforcing HIPAA security rules in the workplace. If you're responsible for HIPAA in your company it's imperative that you understand and carry out enforcement within your organization. The potential fines and jail time would not only be devastating on a personal level but could potentially destroy a company or organization.