Since mid-2013, the Department of Health and Human Services has recovered more than $10 million from numerous entities in connection with alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). However, during a recent American Bar Association conference, Jerome B. Meites, a chief regional civil rights counsel at the Department of Health and Human Services (“HHS”) told attendees he expects the past 12 months of enforcement to pale in comparison to the next 12 months. According to Mr. Meites, HHS’ Office of Civil Rights (“OCR”) desires to send a strong message to the industry through high-impact cases.
In addition to the anticipated increase in fines, Mr. Meites also said that the OCR still expects to begin conducting new rounds of HIPAA audits later this year on some of the 1,200 companies that were identified earlier this year as potential audit candidates. These 1,200 companies include approximately 800 covered entities (health care providers, insurers, or clearinghouses) and about 400 business associates.
Mr. Meites also made two extremely pertinent comments concerning HIPAA compliance. Specifically, he said that portable media devices have caused an enormous number of the complaints that the OCR deals with and that an entity’s failure to perform a comprehensive risk assessment, as required by HIPAA, has factored into most of the data breach cases which resulted in financial settlements.
Entities subject to HIPAA’s requirements need to be conscious of not only the planned aggressive punishment related to privacy breaches and security lapses, but also the OCR’s extensive audit strategy. However, simply knowing that such plans are in place is not enough, and entities subject to HIPAA should begin to examine their own policies and practices and make changes as needed to address these issues.