OK, so why now?
The HHS Office for Civil Rights (OCR) reports that settlement payments last year were $25.6 million[1]. Subsequently, they are reporting there will be an increase in HIPAA compliance investigations. With resources from settlement fines, OCR believes the industry has had adequate time to develop complete data security policies and procedures. Unfortunately, healthcare organizations are still lagging. But take notice there will be a higher number of investigations by OCR in 2017. That’s more than enough to ruin a good day.
To make matters worse, OCR is not always consistent with its audit process. In some cases, inspections occur over years during which the rules can change. Covered Entities (CEs) and their Business Associates (BAs) must conduct Risk Assessments on a regular basis to ensure compliance. That said, there is no definition of what a ‘regular basis’ means, or what entails a ‘comprehensive Risk Assessment’. They’re not saying HOW to do it, just do it.
Not surprisingly, OCR’s perspective on compliance is “sometimes a matter of judgment on the language in pertinent regulations.[2] ” More funds collected fosters expectations that OCR may increase the number of audits with additional resources funded by received settlements.
[1] Goedert, Joseph. "Why OCR is aggressively enforcing HIPAA compliance." Health Data Management. Source Media, 1 Dec. 2016. Web. 16 Dec. 2016.
[2] Ibid.
Comments