I’m not a big fan of scare-mongering tactics. So when I see a bunch of such “HIPAA Clampdown” emails making incredulous claims about HIPAA fines, I feel compelled to review the facts. So I did!
The bad news: HIPAA complaints are rising each year…
The good news: The percentage of incidents being investigated seems to be falling after rising steadily for six years from 2007 thru 2013. Does this mean you can relax, and not worry? Unfortunately no. While there is no evidence of so-called clampdowns, there is also no evidence that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is letting up on corrective action demands, or that they have loosened their criteria.
On average 2/3 of complaints are easily dismissed as a non-violation, while 1/3 require some level of investigation. Only about 4-7% of all complaints result in enforcement of a corrective action plan, and a fine. That may still seem rather high. But remember it’s only the percentage for incidents being reported. So if you want to improve your odds, don’t do stuff that will get you reported!!
If you’re trying to stay under the radar from hackers and the OCR it pays to know what you’re up against. Hat tip to Calyptix Security for pulling together this summary on the types of HIPAA breaches investigated from 2009 to 2015.
Since medical offices are such open spaces, physical theft is always a possibility, but with the right precautions and discipline, this is probably the easiest to prevent. Yet, as you can see, theft accounts for 44% of incidents. There is little excuse for theft to be that high. As much as 80% of incidents are easily preventable with better policies and enforcement.
It turns out, in 2013 – 2015 Ohio Healthcare providers performed better than average on HIPAA compliance, or at least not getting caught! From April 2013 thru Dec 2015 only 27% of all HIPAA complaints reported in Ohio were subjected to an investigation! The national average was closer to 39%.
Lastly, if you suspect there has been a violation or you have been breached, don’t be lured into forgetting it ever happened. As time from the incident passes, and the sky didn’t fall in…pretending it didn’t happen looks more and more tempting. But covering up a breach could be a bigger crime than the breach itself, even one caused by neglect. No matter how small the breach, you are legally obligated to report it to OCR. If it affects more than 500 individuals that must be done within 60 days of discovery, or for breaches affecting fewer individuals, within 60 days of the end of the covered period. You can even get fined for taking too long to report a breach like these guys did to the tune of $475K.
If you want to know where you stand on HIPAA compliance, use our free self-assessment checklist. It’s a simple checklist designed for business owners not IT, to carry out in 30 mins. Obviously it’s no substitute for a complete HIPAA risk assessment, but it will tell you immediately if need one. If you have glaring holes in your compliance with the HIPAA security rule, in 30 mins you’ll know about it!
