Though the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, it wasn’t until 2003 that the first national data privacy and security rules were issued by the U.S. Department of Health and Human Services (HHS). These include the Privacy Rule, Security Rule and Enforcement Rule.
The HIPAA Omnibus Rule, effective March 23, 2013, amended the Enforcement Rule to ensure CE liability for the acts of BAs who are agents of the CE in accordance with the federal common law of agency. To enforce HIPAA rules, OCR has indicated a shift toward more focused audits based on data patterns and trends. This month’s blog takes a look at recent OCR efforts, affirms the importance of BA risk assessments, and provides eight steps to ensure CEs and BAs meet HIPAA compliance.Enforcement of HIPAA Privacy and Security Rules Increasing, Along with Associated Penalties
The OCR has stepped up enforcement of all rules and penalties. Complaints and reports of breaches initiate an investigation and any potential breaches must be reported promptly. Fines are assessed for lack of timely breach notification. Further, failure to notify affected individuals of the breach incurs an additional violation per day of delay.
Penalties are tiered based on the type and frequency of the violation. There are four HIPAA violation penalty tiers, each defined by level of culpability. Click here for more information on the tiers and penalty assessments.Importance of Risk Assessments
From January 2, 2015 through February 2018, OCR investigated 31 organizations for breaches and assessed a total of $52.7 million in penalties. Fourteen organizations (45 percent) were cited for inappropriate risk management—either failure to conduct a thorough risk assessment, or failure to act following assessment and risk identification.
The next highest citation (29 percent) related to Business Associate Agreements (BAAs)—either failure to establish a BAA, or failure to review and update the current BAA to comply with HIPAA rules. Several organizations on the list were cited and fined for both reasons.Can You Pass Scrutiny? Eight Steps to Ensure Compliance
Consider the following steps to ensure your organization and all BAs are in compliance with HIPAA rules:
Further, it is prudent to have up-to-date photos of workspaces used by employees and BAs who work remotely. Best practice is to visit remote locations in person to verify compliance. OCR audits require proof that offsite and remote workspaces meet HIPAA requirements.
Finally, exercise extreme diligence with privacy and security rules if your organization uses offshore vendors to perform work and access PHI. Legal teams should develop offshore vendor contracts that:
Sidebar List: Important Security Safeguards to Follow