Over the past year the number of reported violations of Health Insurance Portability and Accountability Act (HIPAA) regulations has gone through the roof. The Department of Health and Human Services has seen a massive increase in late 2013 with the upward trend continuing in 2014 according to a recent data analysis.
Year on year figures show reported HIPAA complaints have risen by 45.7% with 6,701 complaints received up until May. Not all cases have lead to action being taken against the organization concerned although a relatively low number – 14% – resulted in no action being taken. However, although out of the cases which were examined, 26% called for HHS action to be taken.
The rise in HIPAA complaints can be explained, in part at least, on increased public awareness of data security laws. High profile thefts and data violations have been headline news in recent months and the reporting of compliance issues is being encouraged. The introduction of new laws and regulatory changes have also played a part, and the increased use of mobile devices in healthcare creates many new potential holes in security which cybercriminals can exploit.
Another reason for the rise is enforcement of the Omnibus Final Rule which introduced new financial sanctions for business associates who failed to adhere with HIPAA standards. The inclusion of business associates under HIPAA has increased the number of reported breaches as some associates failed to take appropriate action and become HIPAA compliant after changes were made to the law.
The government is adopting a hard line on offenders and is running random audits to ensure HIPAA compliance. The audits were begun in 2013 and are expected to continue into 2015. Healthcare organizations can expect a tougher approach from the government in months to come and compliance documentation will come under greater scrutiny.
Under the Omnibus Rule, organizations can expect much more stringent penalties for HIPAA violations with the Department of Justice becoming involved with any data breaches thought to involve criminal activity. Any patient suffering due to a data breach is entitled to take legal action to recover damages for loss and suffering, while complaints made to the government are followed up and action begun against offenders.
The increase in the use of mobile devices and extent to which data is recorded and transferred in patient management requires security measures to be implemented to ensure compliance and reduce security violations. Password protection, data encryption, remote erasing of lost mobile devices and secure messaging services can all be used to reduce danger, ensure compliance and keep PHI safe and away from criminals.
