To borrow a phrase from Stephen Colbert, the Office of Civil Rights (OCR) — the department in charge of HIPAA enforcement — got a “wag of the finger” a while back from the Health and Human Services Office of the Inspector General. And that’s bound to have an impact on healthcare offices everywhere.
A November 2013 report from that office pointed out serious weaknesses that need to be addressed in OCR’s enforcement of HIPAA compliance. Titled — in all caps, no less — THE OFFICE FOR CIVIL RIGHTS DID NOT MEET ALL FEDERAL REQUIREMENTS IN ITS OVERSIGHT AND ENFORCEMENT OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT SECURITY RULE, the report includes this blunt criticism of the job they’ve done so far:
“Although OCR made available to covered entities guidance to promote compliance with the Security Rule, it had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. As a result, OCR had limited assurance that covered entities complied with the Security Rule and missed opportunities to encourage those entities to strengthen their security over ePHI.”
Are you ready for your HIPAA compliance audit?
After being called out so publicly by the Inspector General, I wouldn’t be surprised if the OCR now feels it has something to prove. And Jerome B. Meites, OCR chief regional counsel for the Chicago area, agrees. In a recent talk at an American Bar Association conference, he predicted that previous efforts to crackdown on HIPAA violations would “pale in comparison” to what’s in the pipeline.
He also pointed out that the OCR intends to send a strong message with high-impact cases. It appears they’ve already started. In the past 12 months, the OCR has leveled fines totaling more than $10 million on nine covered entities!
HIPAA enforcement won’t be limited to healthcare providers. The OCR plans to zero-in on business associates, as well. And as more fines are collected, the funding for more audits is bound to increase. With the OCR stepping up its efforts at HIPAA enforcement, the possibility grows that you and your business associates (BAs) could be audited.
So, be forewarned. And don’t wait any longer to seriously address HIPAA compliance. Do your part to give Stephen Colbert’s finger one less reason to wag — when he takes over the Late Show from Davd Letterman later this year.