Last year the Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA, conducted 115 HIPAA compliance audits. The program is being looked at as a pilot project that will eventually be used to put in place a permanent audit program. According to a HealthcareInfoSecurity interview with OCR’s Susan McAndrew:
A contractor is evaluating the results of last year’s 115 HIPAA compliance audits conducted as part of a pilot project. “We’re looking to the evaluation as helping guide us as to where we can best concentrate our efforts, and clearly the funding situation needs to be sorted out for the audit function,”
Fines will fuel OCR budget
OCR’s director Leon Rodriguez told HealthcareInfoSecurity that the audit program will begin again in late 2013 or beginning of 2014:
“My best guess is that [audits] will continue either in the latter part of 2013 … [or] certainly by 2014, we’ll be back in the business again,” the nation’s chief HIPAA enforcer says. “A lot depends on what our resources look like.”
Monetary penalties that OCR imposes as a result of its various HIPAA enforcement actions will fund continuation of the audit program, he notes. Over the last year, OCR has collected about $4 million in a handful of settlements.
And be warned: Rodriguez says healthcare organizations should expect to see OCR issue more and larger monetary penalties for HIPAA non-compliance in the months to come. OCR has an “inventory” of ongoing investigations that Rodriguez expects will conclude with monetary settlements.
OCR budget to increase slightly
The HHS Office for Civil Rights, which is responsible for HIPAA enforcement, would have a budget of $42 million, up $1 million. That small increase would be used primarily for enforcement of the HIPAA Security Rule. The budget would support adding seven full-time staff, bringing the total to 233.
The HHS budget document says OCR received almost $4 million as a result of penalties included in settlement agreements tied to HIPAA violations in fiscal 2012 and anticipates generating $5.5 million from those actions in fiscal 2013. OCR uses funding received through civil monetary penalties and settlements to help support HIPAA enforcement activities.
Number of patient records breached increasing
The count of patient records breached since 2009 continues to increase. The last count had the number at 22 million records breached.
What this all means
Taking all the information into account, one can reasonably conclude that OCR is gearing up to increase HIPAA enforcement by the end of 2013 into 2014. With a business model of using HIPAA fines to fuel the OCR budget, OCR will have many more resources to enforce HIPAA compliance.
You can either enjoy the calm before the HIPAA compliance enforcement storm or you can start making sure you are complying with the HIPAA regulations. Organizations that take HIPAA compliance seriously will be in much better shape than those who chose to ignore it.
When the storm comes, make sure you are protected!
7 Things you must know about HIPAA Security