HIPAA enforcement has never been a more pressing issue. After years of high-profile Health Insurance Portability and Accountability Act (HIPAA) data breaches, the health IT security firm Redspin recently released a study suggesting that data security and privacy problems are only increasing. As Healthcare IT News reported, Redspin researchers found a “138 percent… jump in the number of health records breached” since 2012. This leap brings the total number of compromised records in the three-year span to 29.3 million. Using breach data reported to the Department of Health and Human Services (HHS), Redspin drew a number of conclusions that echoed precautions given by Leon Rodriguez, the director of the Office for Civil Rights at the U.S. Department of Health & Human Services.
In the Healthcare IT News article entitled, Ready or Not, HIPAA gets Tougher Today, Rodriguez was quoted as saying that fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, and that’s most likely going to continue. “It’s going to continue to be a small but very important part of the story,” Rodriguez said. “I think it’s important because it very powerfully articulates what our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them.”
What’s Happening with Private Practitioners and HIPAA Enforcement?
With human nature being as it is, the tension between mistakes, crime and their correction is not surprising. Responsible for enforcing HIPAA, the Office for Civil Rights (OCR) has been focusing on smaller violations, primarily those incurred by private practices. As first noted in our 2012 article, private practitioners have been the single most frequently identified entity requiring corrective action due to noncompliance. See HHS Reports HIPAA Violations and Enforcement Measures are On the Rise for that early report. That list has remained unchanged for the last two years, with private practitioners still leading the group (in order of frequency):
- Private Practices
- General Hospitals
- Outpatient Facilities
- Health Plans (group health plans and health insurance issuers)
Melamedia’s Health Information Privacy/Security Alert, published as the HIPAA & Breach Enforcement Statistics for June 2014 has shown that breaches are related to the following reasons, in descending order:
- Unauthorized Access / Disclosure
Remedies for Behavioral Health Practitioners?
- Determine if you are a “covered entity”
- Conduct a thorough risk analysis for each device used in clinical practice with clients/patients
- Develop remediation plans for device use if needed
- Document and implement remediation plans or stop using the devices
- Develop your HIPAA policies
- Train your staff
- Document your training
- Obtain Business Associate Agreements
- Develop breach notification plans
- Stay abreast of updates to HIPAA
If you are unsure of how to proceed, register for the 1-hour, TeleMental Health Institute HIPAA & HITECH Made Easy for Behavioral Professionals webinar. Fully recorded for listening up to six months, the webinar comes with 1 CE, a handout and viewable slides.