The “Phase 2” audit results are in: a significantly high percentage of Covered Entities (individuals, rganizations, and Business associates bound by HIPAA regulations) are continuing to miss the mark when it comes to the proper handling of protected health information.
The audits themselves are part of the Office of Civil Right’s (OCR, US Dept. Of Health) plan to raise the level of HIPAA enforcement for Covered Entities. Especially in view was how well covered entities had implemented the Security Rule Risk Assessment, as well as the Risk Management plan.
Targeting the Culprits
As past HIPAA settlements indicate (in 2016, HIPAA settlements alone amounted to $23 million), unintended or inappropriate disclosures of sensitive data typically come through untrained personnel, utilizing poor procedural methods for handling data. In some cases, unprotected network drives, unencrypted data, and even theft of computer equipment have allowed sensitive data to be accessed by nefarious actors, and even held for ransom.
For these reasons, the Phase 2 audits were especially focused on:
- The adequacy of a company’s security policies and procedures regarding PHI accessibility, vulnerability, and integrity
- A thorough identification of the company’s risks regarding the flow of PHI at all points in the environment, and corrective actions
- A company’s breach reporting policies and procedures, including provision of notices to those affected, appropriate notice content, and follow-up
Non-compliant companies identified by the audit were given a corrective action plan, often with deadlines as little as 30 days. In addition, the OCR decided to increase fines for non-compliance by 10%.
What Does all this Mean?
Besides the negative impact that a fine or breach may have on the offending company – both monetarily, and in terms of business reputation – the real victims, of course, are those individuals and families impacted by having their personal information disclosed.
The OCR takes this seriously, which is why repeat infractions of HIPAA occurring within the same year may potentially cost companies millions of dollars per violation. Even when no ePHI is breached, failure to maintain security documentation, train employees, or acquire a Business Associates Agreement (BAA) may result in hefty fines for non-compliance.
All of which means that handlers of PHI need to get serious about HIPAA compliance, and begin to implement the security standards and corrective actions now. Covered Entities and their Business Associates should also begin at once to especially evaluate their policies and procedures, privacy notice practices, and BAA’s.
If all of this seems daunting, HIPAA Vault’ HIPAA Compliant Solutions can help. We offer you a smart choice for protecting your data, with low-cost, fully managed and HIPAA Compliant Cloud. Our expertise in system security, scanning and protections will preserve your environment from the latest vulnerabilities, while giving you the peace of mind that your sensitive data remains accessible, and your patient data secure.