Avoid Healthcare’s “Wall of Shame”
No. We’re not talking college flashbacks. We’re digging into data breaches and some recent changes related to the Final HIPAA Omnibus Rule. The Office of Civil and Human Rights (OCR) announced in September that it has delayed its planned second round of HIPAA audits. Additionally, during the American Health Information and Management Association (AHIMA) Convention, which took place last week, an OCR representative provided more detail: with the delay, the OCR’s review of 350 provider organizations and 50 business associates (BAs) will likely not begin until early 2015. Originally, the audit was scheduled to take place this month.
This announcement has caused a bit of a ripple in the industry, but hasn’t stirred as much conversation as could be expected. Those in the know on this subject understand that—despite the obvious risk to patients that comes from not protecting their data—failing an OCR audit comes with significant financial penalties. And an actual breach can land you on HHS’ public database, aptly referenced to as the “wall of shame” in the industry and further explained in a recent blog by compliance expert Virginia B. Sizemore.
Cruising through an audit has become more complicated. And with the passing of the final HIPAA Omnibus rule in 2013, the definition of a BA has expanded and providers are on the hook for any breaches of patient health information (PHI) on their watch. Healthcare organizations need to implement stronger security and privacy safeguards on PHI or face up to $1.5 million in fines and potential criminal prosecution.
That’s a lot of money—but it’s paltry compared to some of the settlements that have come out of OCR’s resolution agreements over the past few years.
The delay in the second round—which has been attributed to the need to fix the OCR’s web portal—gives providers some breathing room, but not much. Audit subjects for round two have already been selected, but that doesn’t mean providers can sit back. There appears to be some confusion in the industry regarding the new requirements, and there hasn’t been all too much buzz in the market to help those groups affected figure out how to protect themselves and their patients from the risk of a data breach, but information is available. The law may be catching some groups off guard, but it’s for a great cause—protecting patient information.
Take this time to dig into the law and understand how it affects your organization—stay off the wall of shame.