Business Associates and Covered Entities alike have been at the receiving end of HIPAA audit from the Office of Health and Human Services (HHS) inspectors for a while now. Why this sudden clamor for HIPAA compliance? It is because the federal government has now trained its guns on HIPAA compliance from Business Associates and Covered Entities in view of the fact that there have been several cases of noncompliance, which have resulted in costly errors and have had a major impact on patient safety. In nearly two thirds of these cases, it was found that the Business Associate or Covered Entity was the source of a data breach or other related offences.
Many cases of noncompliance
Although the HHS has been quite active in its investigations of HIPAA noncompliance for a long time; its activities have gained thrust of late. The New York and Presbyterian Hospital (NYP)’s case of mid-2014, when it was ordered to pay accrued penalties of nearly five million dollars, is just one of the many examples of serious instances of data breach. With the prescribed penalty having the possibility of attracting $50,000 per violation; organizations that don’t have their bases covered could invite expensive lawsuits. And yes, there is also the prospect that the violating entity could end up in jail for not taking sufficient care to prevent data breach.
Easy and uncomplicated ways of getting framed
The way in which the HIPAA violations are imposed and implemented is quite harsh: An entity is given 30 days to correct the effects of a breach. If it fails to do so, it is deemed to have committed breaches in mens rea, which in Latin legal phraseology means “guilty mind”. This is the basis for framing charges and deciding on imposing the quantum of punishment.
So, what should organizations do?
Simple: staying compliant by exercising diligence is the only way out for organizations if they have to avoid the complications of noncompliance with HIPAA Privacy Security. No matter how painful and tortuous an organization finds enforcing HIPAA Privacy Security and securing Protected Health Information (PHI) to be; it has to take all the necessary steps for ensuring HIPAA Privacy Security. Its strategy for ensuring HIPAA Privacy Security should include mastering the art of conducting risk assessments and writing policies and aim at securing data and preventing breach of PHI originating from any or all of these sources:
o Unencrypted data
o Errors (intended or otherwise) caused by employee/s
o From data that is stored in electronic devices such as laptops, smartphones or tablets, and finally,
o From Business Associates.