This entry is part 10 of 27 in the series HIPAA Audit Tips

The HITECH Act mandated Audits are simply one new “arrow” in DHHS/OCR enforcement quiver.  It’s not about even just about enforcement.  It’s simply about keeping very personal and intimate health information private.  And, to do so, organizations need to become and remain compliant with the HIPAA Privacy and Security and HITECH Breach Notification Rules.  Here’s today’s big tip – It’s Not About The Audits!  Learn why…

HIPAA Audit Tips

Health Information Privacy Crisis; Not OCR HIPAA Audits

We are in the midst of a large and rapidly growing health information privacy crisis.

  • 60% of consumers do not believe privacy laws adequately protect their privacy
  • Over 80% of regulated entities believe privacy laws are too complex and difficult to understand.
  • 40 million health records were reported breached between 2005-2008
  • 20.1 million Americans reportedly had their health privacy breached in the last two years (those that were reported!)
  • Privacy breaches and security cost hospitals $6 billion a year, and that is rapidly increasing, Benchmark Study on Patient Privacy and Data Security
  • In 2011, the average number of health records lost in a privacy breach was 2,575 (up from an average of 1,769 in 2010)
  • Data breaches are occurring in health care three times faster than in banking and finance
  • Survey Nov. 2011—Found that 96% of health providers had at least one privacy breach in the past 24 months
  • Most providers believe electronic privacy violations will get worse.  ANSI report at pp. 21, 37
  • HHS has determined that “there is no such thing as a totally secure system that carries no risk”. 68 Fed. Reg. at 8346 (Feb. 20, 2003)

Health Information Privacy – Not a Newsflash!

The right to health information privacy predates HIPAA and includes Federal Drug and Alcohol Abuse law and Family Educational Rights and Privacy Act, among others.  In fact, remember  Hippocrates 4th Century, B.C.E. “Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets.”

Being in compliance with HIPAA does NOT insulate you from liability for breach of privacy—HIPAA is merely a “floor” of federal protections.  46 states plus the US Virgin Islands, Puerto Rico and the District of Columbia have enacted privacy and/or security and/or breach notification laws.  Covered Entities and Business Associates are advised to complete a “preemption analysis” in each jurisdiction in which they do business to ensure their policies, procedures and practices meet those specific local requirements.

Proceed With Caution

Don’t forget Tort law—”One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement of Torts, sec. 652B

Enforcement Reasons to Care About HIPAA-HITECH Compliance

There are plenty of new enforcement arrows in HHS’/OCR’s/CMS’ quiver including, but not limited to:

  • New Civil Monetary Penalty System
  • State AGs Jurisdiction
  • OCR Audits, of course
  • Wider Net including Business Associates
  • Breach Notification Rule
  • “Wall of Shame”
  • CMS Meaningful Use Audits
  • Pending filings under the False Claims Act, a big arrow soon to be used

Bottom Line: Business Reasons to Care About HIPAA-HITECH Compliance

It’s about becoming and remaining compliant because:

  1. It’s the law… HIPAA & HITECH!
  2. Your stakeholders trust and expect you to do this
  3. Your revenues, assets and reputation depend on it!

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider:

Series Navigation<< HIPAA Audit Tips – OCR HIPAA Audit program – Access ControlHIPAA Audit Tips – OCR Audit Protocol – Risk Analysis >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.