In 2015 and 2016, the number of confirmed violations doubled in comparison to the number confirmed in 2014. Approximately half of those in 2015 were found in November and December alone, following a directive from the Office of the Inspector General (OIG) to begin actively enforcing HIPAA policies.
Enforcement of HIPAA regulations is bringing more of those organizations it governs under scrutiny in light of recent breaches. HIPAA is being enforced, regardless of the size of your practice or your history of breaches, and there are steps that must be taken to protect you from fines of up to $6 million.
Cost of Non-Compliance is High
In 2016, an insurance holding company entered into a $3.5 million settlement after it experienced multiple breaches. The Office of Civil Rights (OCR) found the company had failed to conduct a risk assessment and implement security safeguards. HIPAA security risk assessments are important and many providers haven't performed one simply because they don't know where to start - or because they think they can't afford it.
The average fines imposed by the OCR to-date on a single organization for HIPAA violations is $1,070,585.
Fines range from as little as $100 to as much as $50,000 per category violation for the first offense, with maximum fines of up to $1.5 million per category violation per year. In addition to the fines imposed by the OCR, the cost of detecting the breach, notifying patients, additional responses, and lost business could cost tens of thousands for small practices to hundreds of thousands or millions for large medical networks and hospitals. These fines and additional costs are unnecessary and easily avoided by implementing precautions, such as Compliance Clinic, to manage these agreements and assessments.
Regular HIPAA Audit Program Will Launch In 2017
The OCR will complete their Phase 2 audits already in progress in 2017 and launch their regular auditing program the same year. Through these efforts, small practices, many of whom believe themselves beneath the scrutiny, will be subject to desk audits and potentially more intrusive on-site audits, regardless of whether they have suffered a data breach in the past. These audits will review more than just Business Associate Agreements, however Compliance Clinic will make the desk audits operate more smoothly by providing a single location where these agreements and corresponding risk analysis are stored and accessed.
Risk Assessment Analysis Must Be Updated Annually
Under the HIPAA Security Rule, our Healthcare Partners are now obligated to assure their Business Associates are also complying with HIPAA regulations. Doing so requires a risk assessment, which must be updated annually, and a signed Business Associate Agreement.
Compliance Clinic takes away the guesswork by making the risk assessment as simple as sending your Business Associates an email. Through our easy-to-use cloud platform, you can invite each of your associates to register for a free Associate account, allowing them to complete a self-assessment and electronically sign a HIPAA-compliant Business Associate Agreement. Each year, your associates will receive an automated reminder to update their assessment and sign a new Agreement. These documents are retained for download by either the Healthcare Partner or the Business Associate in the event of an audit.