In 2016, the Office for Civil Rights (OCR) entered into more resolution agreements, and issued costlier fines, for violations of the Health Insurance Portability and Accountability Act (HIPAA) than ever before. Compared to 2015, the total fines this year were almost triple, netting more than $23 million in civil money penalties, including the largest fine to date on any single entity, of $5.5 million.
In the same vein, earlier this year, OCR began an audit program to review HIPAA compliance. The audit program, which is currently operating within its second phase, is focused on the compliance measures of randomly selected covered entities and business associates. While OCR suggested that the audit was intended to be a “compliance improvement activity,” to develop appropriate technical assistance and helpful corrective action, it also provided that audit results indicating serious compliance issues may be further investigated and trigger a complete compliance review.
Expect OCR to continue its trend of aggressively enforcing HIPAA in 2017, exemplifying the necessity to insulate your practice or business with a comprehensive compliance plan and risk analysis addressing and mitigating any applicable privacy and security risks. While all providers are likely aware of HIPAA, and most believe they operate within the scope of “best practices,” few recognize the substantial commitment of time and resources necessary to ensure the enforcement of a robust compliance plan.
Covered entities and business associates alike will be remiss not to heed the warning from those who have been penalized: developing and adhering to an organizational HIPAA plan will not only limit the risk of a breach, but will prevent any subsequent investigation from resulting in significant financial or criminal penalty. Contact Frier Levitt today to speak to an attorney.
