In the wake of high profile data breaches in recent months, in particular the breach of PHI across 209 hospitals run by CHS, compliance with HIPAA regulations is now high on the agenda, especially considering the large penalties being applied by the OCR.
Any data breach involving more than 500 people must be reported at both state and national levels, with the report launching an official review by the OCR. The investigation will look into how the data breach occurred and the measures and safeguards implemented to protect data. Fines are issued for any breaches which have arisen from failures to adhere to HIPAA guidelines.
However data breaches on their own are not the only reason for fines being applied. Compliance with HIPAA requires policies to be strictly implemented to ensure security risks are effectively dealt with. When an organization is reviewed it will be against a standard to determine if there has been willful neglect, and whether a violation has happened.
A absence of a thorough risk analysis is a violation of HIPAA regulations. If the risk analysis is carried out and data security issues are highlighted, all of those issues must be addressed quickly. If security concerns are not tackled, ePHI could be exposed and the OCR will consider it a violation and is likely to issue a monetary penalty.
However, even without a data breach a compliance review may be needed and an organization can be selected for review in random audits. Compliance with all procedures will be assessed and the OCR will apply a financial penalty for each procedural violation of HIPAA regulations found.
The right to submit a complaint belongs to any person who has reason to believe that regulations have been breached or where a covered entity or business associate “is not complying with the administrative simplification provisions”. If an individual submits a complaint the HHS may conduct a compliance review.
Healthcare organizations and other HIPAA covered entities are therefore warned to take action on each privacy issue and not to wait for the OCR investigation. Non compliance, including a failure to control documentation appropriately is enough to earn a violation and financial penalty for each compliance issue found. Ignoring HIPPA compliance issues can be a very costly error to make.