We are at an inflection point regarding HIPAA enforcement. For years we have talked about HIPAA regulations including the HIPAA Security Rule, HITECH Act, small scale HIPAA audits and the HIPAA Omnibus Rule but true HIPAA enforcement has eluded us. Are we at a fork in the road where HIPAA enforcement and compliance with HIPAA regulations are a real thing? Could security of patient information be taken seriously by the millions of organizations that are responsible for protecting the data (this includes both HIPAA covered entities and business associates)?
HIPAA audits and enforcement
The Office of Civil Rights (OCR) has been broadcasting their intent to enforce HIPAA regulations. Recently OCR has handed down some pretty steep fines for non-compliance and HIPAA related breaches. The HIPAA audit program is about to start in the next few months. 800 covered entities and 400 business associates will be audited. While it is a very small percentage of the millions of HIPAA regulated organizations, it is a first step to implementing a permanent audit program. Will the permanent HIPAA audit program lead to more robust auditing and even more importantly, will it lead to more compliance with HIPAA regulations?
HIPAA noise level
At the very least the noise level regarding HIPAA enforcement and compliance is about to get much louder. Organizations that have ignored HIPAA compliance will start to hear a lot more about audits, fines and compliance. We saw a huge spike last year in terms of interest when the HIPAA Omnibus Rule was released and the September enforcement deadline was approaching. I suspect we will see a similar spike now that the HIPAA audits will start. Will it be a temporary spike or will organizations take the threat of enforcement and fines serious? It will be interesting to see.
Image courtesy of Dan / FreeDigitalPhotos.net