Lack of HIPAA Compliance can be Costly

The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports recently calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts. In response to these reports, HHS announced that it will launch HIPAA audits in early 2016 in order to be more proactive in HIPAA enforcement.

As a result, the FY 2016 Budget for the Office for Civil Rights (OCR) is $43 million, an increase of $4 million over FY 2015. The increase in funds will support OCR's audit program which was mandated by the HITECH Act to conduct periodic random audits to assess entity compliance with HIPAA.The audit program will help ensure HIPAA compliance by covered entities and business associates, while also informing OCR on areas to direct its enforcement and technical assistance.

Who is covered by HIPAA?

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, privacy and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

The HIPAA regulations establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically.. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic claims billing, eligibility and benefits inquires and fund transfers.

The HIPAA regulations require appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.


What does HIPAA compliance mean?

There are two distinct and separate regulations under HIPAA. All covered entities and their business associates are required to comply with the final HIPAA Privacy regulations that HHS published in December 2000 and which was later modified in August 2002. Those who store or transmit protected health information electronically are required to comply with the final HIPAA Security regulations that HHS passed in February 2003 which are meant to protect electronic data. The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.

  1. The HIPAA Privacy safeguards were designed to keep protected health information safe from a people, administrative, and contractual standpoint. HIPAA privacy set national standards for the protection of individually identifiable health information.  Compliance with the Privacy Rule was required as of April 14, 2003. The Privacy Rule protects all 'protected health information' (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.
  2. The HIPAA Security safeguards were designed to keep protected health information specifically in electronic form (computers, networks, email, software, electronic transmissions, etc) safe from disasters, hackers, and electronic theft. The Security rile sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005.


What is ACA and HITECH compliance mean?

The Affordable Care Act (ACA) and recent updates to the HITECH Act and HIPAA Final Omnibus Rule make it a priority that data privacy and security are the highest priority and shouldn't be taken lightly, especially with higher fines and legal actions at stake. In September 2013, HHS passed the final Omnibus Rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, and also finalized the Breach Notification Rule.

HIPAA covered entities; providers, payers, and those that provide business associate services, are at greater risk more than ever before. With the federal government adopting incentives and penalties for electronic health records (EHRs) and the digitization and the health information exchange (HIE) of patient clinical information, healthcare organizations have much more of an elevated risk of protected health information (PHI) data loss than ever before.

Especially as many HIE technologies leverage the Internet and other emerging communications channels. The use of more electronic information methods means that more and more patient records and communications between doctors and staff, and doctors and patients, will be in the form of electronic communications and subject to retention and HIPAA security/privacy requirements.


Join HIPAAedu Today! Signup for free HIPAA webinars and training!



Signup Today!