Since mid-2013, the Department of Health and Human Services has recovered more than $10 million from numerous entities in connection with alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). However, during a recent American Bar Associationconference, Jerome B. Meites, a chief regional civil rights counselat theDepartment of Health and Human Services (“HHS”) told attendees he expects the past 12 months of enforcement to pale in comparison to the next 12 months. According to Mr. Meites, HHS’ Office of Civil Rights (“OCR”) desires to send a strong message to the industry through high-impact cases.
In addition to the anticipated increase in fines, Mr. Meites also said that the OCR still expects to begin conducting new rounds of HIPAA audits later this yearon some of the 1,200 companies that were identified earlier this year as potential audit candidates. These 1,200 companies include approximately 800 covered entities (health care providers, insurers, or clearinghouses) and about 400 business associates.
Mr. Meites also made two extremely pertinent comments concerning HIPAA compliance. Specifically, he said that portable media devices have caused an enormous number of the complaints that the OCR deals with and that an entity’s failure to perform a comprehensive risk assessment, as required by HIPAA, has factored into most of the data breach cases which resulted in financial settlements.
Entities subject to HIPAA’s requirements need to be conscious of not only the planned aggressive punishment related to privacy breaches and security lapses, but also the OCR’s extensive auditstrategy. However, simply knowing that such plans are in place is not enough, and entitiessubject to HIPAA should begin to examine their ownpolicies and practices and make changesas needed to address theseissues.