2016 HIPAA Audits to Begin: Are you Confident in Your HIPAA Compliance?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/2016-hipaa-audits-to-begin-are-you-16019/

Although the Health Insurance Portability and Accountability Act, or
“HIPAA,” has been around since 1996, with its implementing regulations
first published in the early 2000s, it is definitely not “old news.”  In
light of recent heightened awareness of data privacy and security and the
potential for damaging data breaches, particularly with respect to health
records, HIPAA is once again at the forefront of regulators’ minds, and
should be at the forefront of providers’ minds as well.

Beginning early this year, the Office of Civil Rights (“OCR”) within the
Department of Health and Human Services (“HHS”) will begin performing
random desk and on-site audits of not only covered entities (e.g.,
physicians, hospitals, laboratories, etc.) but also of business associates
(e.g., persons or organizations that perform functions on behalf of covered
entities, such as data hosting companies, law firms, etc.). These audits
are expected to focus on areas of noncompliance that OCR has witnessed in
its previous audits and enforcement actions, such as risk analyses and use
of encryption technology.

HIPAA imposes a long list of privacy, security, and breach notification
requirements.[i] For example, covered entities and business associates must
ensure documentation of and compliance with privacy and security policies
and procedures, performance of security risk analyses of electronic
protected health information, appropriate use of Business Associate
Agreements, and, for covered entities, appropriate dissemination of a
Notice of Privacy Practices.  Any entity that has experienced a breach
should ensure that it has appropriately evaluated, responded to, and
documented the breach in accordance with HIPAA.  All entities should have
systems and protocols in place to properly address a breach should one
occur.

HIPAA violations can carry stiff penalties, with a range per violation of
$100 to $50,000.[ii]  Further, the regulations set an annual maximum
penalty of $1.5 million for multiple violations of the same provision,
meaning penalties can be even higher if multiple violations of multiple
provisions occur.[iii]  A HIPAA violator may also face criminal penalties
or exclusion from federal health care programs.  In some states, including
Virginia, a private right of action related to a breach of privacy or
medical confidentiality may be afforded to individuals whose health
information is mishandled.[iv]

With HIPAA audits right around the corner, health care practitioners,
providers and their business associates need to place additional focus on
carefully evaluating their past and current HIPAA compliance to identify
and strengthen any areas of potential noncompliance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.