Don't fear the HIPAA audit
The threat from hackers affects all business, but healthcare providers face the additional threat of fines for failure to comply with HIPAA regulations.
These fines are no mere speeding ticket. Some entities have been hit with penalties exceeding $1 million. And fines can occur even without a loss of data. Failure to comply with HIPAA standards can be determined by an ONC audit even if no breach has occurred.
Adam Greene, a partner with Davis Wright Tremaine, says HIPAA audits are a very real possibility for many healthcare providers, and IT staff need to prepare.
“The single most important preparation is ensuring that the entity has an accurate and thorough risk analysis,” said Greene, who worked at the U.S. Department of Health and Human Services (HHS) in formulating HIPAA policy. He will be providing an educational session titled "Preparing for a New Level of HIPAA Enforcement" on April 14 at HIMSS15 in Chicago.
After an initial risk assessment, Greene advises that HIPAA-covered organizations should focus on improving their policies and documentation for breach response and notification, as well as their policies for patient access to HIPAA-covered data. A big part of that is establishing fair and reasonable charges for patients to access their own data, whether in digital formats or in print.
Health organizations also should craft privacy and security strategies that go beyond HIPAA and the government baseline, Greene argued.
“The biggest concern should not be that a regulator is going to come and find you noncompliant,” he said. “The biggest concern should be that there are sophisticated actors out there trying to get your information, and your workforce is prone to make mistakes.”
Hacking or breaches can “cause massive reputational harm and breach notification costs if you do not invest in a strong and constantly improving compliance program,” Greene argued.
Last May, Presbyterian Hospital and Columbia University Medical Center paid the largest-ever HIPAA-related settlement, $4.8 million, after exposure of electronic health information of about 6,800 patients in 2010.
Spending time and resources on looking for and fixing privacy and security problems before they occur fits well with the current health reform focus on prevention, Greene said. “I think it is important for leadership to see the return on investment.”