The HITECH Act mandated Audits are simply one new “arrow” in DHHS/OCR enforcement quiver. It’s not about even just about enforcement. It’s simply about keeping very personal and intimate health information private. And, to do so, organizations need to become and remain compliant with the HIPAA Privacy and Security and HITECH Breach Notification Rules. Here’s today’s big tip – It’s Not About The Audits! Learn why…
HIPAA Audit Tips
Health Information Privacy Crisis; Not OCR HIPAA Audits
We are in the midst of a large and rapidly growing health information privacy crisis.
- 60% of consumers do not believe privacy laws adequately protect their privacy
- Over 80% of regulated entities believe privacy laws are too complex and difficult to understand.
- 40 million health records were reported breached between 2005-2008
- 20.1 million Americans reportedly had their health privacy breached in the last two years (those that were reported!)
- Privacy breaches and security cost hospitals $6 billion a year, and that is rapidly increasing, Benchmark Study on Patient Privacy and Data Security
- In 2011, the average number of health records lost in a privacy breach was 2,575 (up from an average of 1,769 in 2010)
- Data breaches are occurring in health care three times faster than in banking and finance
- Survey Nov. 2011—Found that 96% of health providers had at least one privacy breach in the past 24 months
- Most providers believe electronic privacy violations will get worse. ANSI report at pp. 21, 37
- HHS has determined that “there is no such thing as a totally secure system that carries no risk”. 68 Fed. Reg. at 8346 (Feb. 20, 2003)
Health Information Privacy – Not a Newsflash!
The right to health information privacy predates HIPAA and includes Federal Drug and Alcohol Abuse law and Family Educational Rights and Privacy Act, among others. In fact, remember Hippocrates 4th Century, B.C.E. “Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets.”
Being in compliance with HIPAA does NOT insulate you from liability for breach of privacy—HIPAA is merely a “floor” of federal protections. 46 states plus the US Virgin Islands, Puerto Rico and the District of Columbia have enacted privacy and/or security and/or breach notification laws. Covered Entities and Business Associates are advised to complete a “preemption analysis” in each jurisdiction in which they do business to ensure their policies, procedures and practices meet those specific local requirements.
Proceed With Caution
Don’t forget Tort law—”One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement of Torts, sec. 652B
Enforcement Reasons to Care About HIPAA-HITECH Compliance
There are plenty of new enforcement arrows in HHS’/OCR’s/CMS’ quiver including, but not limited to:
- New Civil Monetary Penalty System
- State AGs Jurisdiction
- OCR Audits, of course
- Wider Net including Business Associates
- Breach Notification Rule
- “Wall of Shame”
- CMS Meaningful Use Audits
- Pending filings under the False Claims Act, a big arrow soon to be used
Bottom Line: Business Reasons to Care About HIPAA-HITECH Compliance
It’s about becoming and remaining compliant because:
- It’s the law… HIPAA & HITECH!
- Your stakeholders trust and expect you to do this
- Your revenues, assets and reputation depend on it!
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider:
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: https://clearwatercompliance.com/newsletters/
- Subscribing to our RSS feed: Clearwater HIPAA Compliance Blog
- Attending a live webinar: https://clearwatercompliance.com/live-educational-webinars/
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016