Medical entities and their business associates are all too familiar with the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA.
While once merely a bureaucratic nuisance, it has taken on enforcement mechanisms that have changed HIPAA from the “boy who cried wolf” to potentially the wolf itself. Based on recent trends, HIPAA-protected entities and business associates can expect to see a rise in HIPAA-audits and fines this year.
From the time that HIPAA was passed until the Omnibus Bill of 2013, HIPAA was more of a nuisance than a real problem and came with very little to no consequences.
On Sep. 23, 2013, the tables turned: Amendments to HIPAA went into effect that increased penalties, equally burdened covered entities and business associates and enforced what was already in the law. Each year, since the amendments went into effect, fines have increased.
FINES DOUBLING ANNUALLY
One of the most common ways for HIPAA-covered entities or their business associates to be penalized for violating HIPAA is through an audit by the Department of Health and Human Services’ Office of Civil Rights. The OCR investigation may be initiated by the filing of a complaint by a patient.
Since the 2013 amendments, audits have increased each year and have targeted businesses of all sizes.
In 2012, OCR received more than $4 million in fines. After the 2013 amendments, the amount rose to more than $6.5 million.
Each subsequent year, the fine amounts doubled. Patient complaints to OCR tripled in 2016.
THE LITTLE GUY, TOO
It’s important, too, that these hefty fines are not just applied to large medical entities. It is the smaller medical entities, perhaps because they are not expecting to be audited, that have seen some of the sharpest increases in audit cost.
The fines and audits apply not just to medical entities, but also to the business associates of medical entities. Business associates include people and organizations that create, receive, maintain or store private health information on behalf of a HIPAA-covered entity.
Examples of business associates include medical billing and/or transcription companies and answering services.
While HIPAA-protected entities are not directly responsible for overseeing their business associates, they must take action in the event of a breach by the business associate.
Based on the clear trend in increased incidents of audits and resulting fines, for 2017 HIPAA-protected entities and their business associate should expect an increase in OCR audits.
Preparation for an audit can seriously minimize risk. Here are four ways to prepare for both HIPAA-covered entities and their business associates:
• Documented employee training. Employees can be a key source of privacy and security violations, particularly considering the reality of cyberthreats and frequency of online and texting communications. In recent OCR audits, improper training was identified as a key area of concern.
To help facilitate a smooth and clean audit, medical employers and business associates should have written training materials with documented acknowledgments of receipt by employees. The employees’ acknowledgment of receipt should, as a best practice, show they received the written materials and that they were verbally instructed on HIPAA pro-cedures. This should be done, with thorough documentation, no less than annually.
• Develop and implement consistent policies and procedures that are not just boilerplate. Another concern of OCR identified during recent audits was a lack of written policies that were actually implemented. OCR was further concerned that organizations’ policies were boilerplate or “cookie cutter” legalese, as opposed to practical and individu-alized.
Based on OCR feedback, all HIPAA-protected entities and business associates are best advised to develop individualized, practical policies to implement HIPAA’s privacy and security protections.
As a measure of thorough preparation, all HIPAA policies should be reviewed annually and noted as such on the written policy, even if nothing is changed. One of the most important components of a HIPAA policy is the performance of regular risk assessments.
• Perform and document risk assessments to be done at least annually. In the event of a breach, OCR will want to see whether regular risk assessments are being per-formed. For organizations that allow employees to bring your own device, the risk assessment should include BYOD.
• Conduct a mock audit. To minimize the risks associated with a real audit, conduct a mock audit. That way, the organization would have a copy of all relevant documents compiled and analyzed, with potential problems identified, without risk of penalty.
• If a HIPAA-covered entity or business associate learns it is going to be audited, the best advice is to contact an attorney familiar with HIPAA.
Remember, it is not only large medical providers that are being audited – it also is small agencies that never thought they would be subject to an examination.
While there is no way to guarantee compliance security, taking appropriate steps of preparation will put your organization in the best possible position.
Keely Jac Collins is an employment and education attorney with King, Spry, Herman, Freund & Faul LLC in Bethlehem who frequently writes and presents on topics related to her legal practice. She can be reached at email@example.com.