The Cost of Noncompliance

0
52

pbs_300dpi(2)HIPAA Security Rule Audits, Breaches on the Rise

By Shawn Piatek for PrecisionBS

One glance at the headlines on seemingly any given day will yield a significant reality of modern society – our private information is always at risk.

During 2014 alone, Sony, Microsoft and the U.S. Dept. of Justice were among organizations that suffered data breaches. Just last month, Anthem Inc., the country’s second largest health insurance company, suffered a massive breach of up to 80 million customer records.  This alarming rise of hacker activity seems to be one of the reasons the U.S. Dept. of Health and Human Services (DHHS) has increased its activities to assure that health care organizations are complying with HIPAA and the HIPAA Security Rule.

Both HIPAA and the HITECH Act are pieces of federal legislation intended to protect the sensitive Protected Health Information (PHI) of patients of all health care providers. The HITECH Act was enacted in 2009 with the aim of reforming and enhancing HIPAA as well as greatly enhancing the penalties for noncompliance with the HIPAA Security Rule.  The HITECH Act also marked the first time Business Associates could be found directly liable for HIPAA violations and empowered DHHS to begin a program for conducting HIPAA audits.

“Prior to the HITECH Act, fines for non-compliance were minimal,” said Brian Shrift, president of Precision Business Solutions and a certified Health Care Information Security and Privacy Practitioner (HCISPP). “But with the HITECH Act, penalties for willful neglect start at $10,000, and go up to $1.5 million.” 

With penalties of consequence in place and a successful HIPAA-audit pilot program having been conducted, DHHS has increased the number of Security Rule compliance audits it is conducting. According to DHHS, the number of Security and Privacy Rule violations resolved in 2013 nearly doubled, going from just over 5,000 cases reviewed in 2012 to 9,837 reviews in 2013. Shrift said that he has found most healthcare practitioners are so busy caring for their patients that Security Rule compliance can become an afterthought.

“I see three main factors playing large roles in this increase in compliance issues among healthcare providers becoming compliant or maintaining compliance,” Shrift said. “First, most don’t seem to understand the scope of everything that needs done to become compliant.   Secondly, when they do know, they don’t know where to turn for help.  Finally, there is already so much on their plate, compliance is getting pushed off to the side.”

In his own practice at his IT consulting firm, Shrift began to realize the need for a more simplified and comprehensive solution to HIPAA Security Rule compliance as he obtained more and more customers in the health care industry. He not only sought out the advice and expertise of legal professionals in the HIPAA compliance field, he increased his own expertise by becoming HCISPP certified. It took over a year of development, but Precision Business Solutions (Precision BS) now offers health care practitioners a one-stop shop for Security Rule compliance.

“It’s been quite an experience to say the least, but the regulations do make sense,” Shrift said. “These rules are there to ensure our private and confidential health information stays that way.  But what was great about this undertaking is all our clients benefited.  We’re raising the bar when it comes to IT security.  And in this age, when every day you hear about a company losing their data or you receive that letter in the mail stating your credit card was compromised, more IT security is good.”

Fines carrying high-dollar amounts aren’t the only problems a practice could face if it fails an audit, or worse, becomes victim to a breach. Even the most successful practices could find the ensuing negative press and almost certain strained relationships with patients difficult to overcome. And after all of that, a noncompliant practice would still need to undertake the proper compliance steps by order of DHHS.

“Other than it being law, it’s just good business practice,” Shrift said. “The laws are in place to ensure you’re keeping your patients’ healthcare information private and safe.  What more justification do you need than that?  Oh, the stiff fines for non-compliance also are pretty important.”

For more information on the Security Rule and the HITECH Act, please visit HIPAASecurityHelp.com.