Health Insurance Portability and Accountability Act (HIPAA) is a legislation of the American Congress. HIPAA enforcement consists of taking steps to confirm that rules set out in HIPAA are being complied with by the requisite entities.
Primarily passed with the intention of ensuring that employees do not lose their health insurance benefits when they change or leave their current jobs; this 1996 law also has the protection and security of Protected Health Information (PHI) as one of its chief aims. The Office of Civil Rights (OCR), which enforces actions relating to HIPAA, imposes harsh penalties on healthcare organizations and Business Associates and Covered Entities that are proven to be in noncompliance of HIPAA requirements.
The actions that the OCR takes to ensure implementation of HIPAA provisions constitute the essence of HIPAA enforcement actions. There are a good number of areas which the OCR can cite as constituting cases of HIPAA violations or noncompliance. A look at recent HIPAA enforcement actions point to a trend. These trends serve as an indicator of what to expect from HIPAA enforcement actions, which will help entities get some idea of what they should implement and what they should not and thus prevent being cited by the OCR.
A look at recent trends suggests that HIPAA enforcement actions mainly target security risk assessments. This leads to harsh penalties, as happened in the case of New York-Presbyterian Hospital (NYP). The hefty $ 4.8 million penalty slapped in 2014 on this hospital was for data breach caused by insufficient security risk assessment. While this is the biggest sum fined; the OCR issued at least three other hospitals for putting in place inadequate security risk assessments in 2014.
If inadequate security risk assessments come first in terms of HIPAA enforcement actions, its cousin, risk management comes next. Where risk management differs from security risk assessment is in the enforcement of appropriate remediation efforts once inadequate security risk assessments have broken out. So, healthcare organizations that have been imposed HIPAA enforcement actions need to demonstrate that they are taking the right steps to limit the damage arising out of improper or insufficient security risk assessments. The chief method by which most healthcare organizations do this is by encrypting devices in which sensitive health information is stored.
Going by the recent trends of HIPAA enforcement; healthcare organizations, Covered Entities and Business Associates can take a few steps, such as: