Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.
For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.
To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.
This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.
Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”
I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.
The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.
John,
Completely agree! September 23rd is less than 60 days away. And as you cited in the two cases above, fines aren’t just for breach.
Willful neglect of known PHI leakages are targets for HHS’s biggest guns.
I just returned from the HealthPort HIM Summit where Jan McDavid and Rita Bowen provided tons of Omnibus guidance. Hospitals and practices should tap into HIM professionals for help in “shoring up” their privacy and security compliance before the other shoe drops!
Good points to raise the flag on John. As a healthcare consulting firm, we rarely deal directly with PHI and never on our own systems. But we interact daily with firms associated with our clients that do, so this is a good piece of information to keep in mind and talk to our clients about.
Beth,
The issue of Willfull Neglect is going to be an interesting one. We haven’t seen many fines for people who deliberately did something that violated HIPAA. They’ll be coming soon though.
Keith,
I’m in a similar position to you. Glad you found the blog post useful.