HIPAA mandates the privacy of private health care records. HIPAA is a serious issue, both financially and in the risk-management aspect, for health care providers. Providers need to delegate annual funds to the defense of regulatory audits proactively – before the actual adverse action occurs. Because it’s not an “if;” it’s a “when,” when you accept Medicare/caid. In the Medicare/caid world, HIPAA violations can catastrophically render a company dead for an infraction. In the current days of technical, daily advances and allegations of cybersecurity breaches, health care providers must be cognizant of cyber criminals, their intent, their modus operandi, and what personal/company information is valuable to such criminals. The HIPAA statutes are vague and lack detailed explanations as to penalties.
In 2018, the Office for Civil Rights (OCR) issued a record-breaking $28 million in fines for HIPAA violations. The number of health care providers currently under investigation by HHS, in 2019, will be another record-breaking number.
As more and more data is maintained on computer systems, the more and more accessible the information becomes to potential scammers. In 2017, the number of cyber attacks increased exponentially to 5,207. There is actually an itemization as to how many of the attacks were germane to health care; health care breaches accounted for 8.5% of all breaches. 2.3 billion health care records have been exposed. This isn’t new. In 2015, the most healthcare records ever were breached. 113 million healthcare records were exposed that year. Now, in 2019, we may witness an all-time-high.
Human error is the number 1 reason for HIPAA violations. Employees gossiping and disclosing private health care information among each other is another culprit, along with social media and lack of training.
The largest individual HIPAA settlement was reached in October 2018, when OCR fined health insurer Anthem $16 million.
The oxymoron is that the government (Medicare/caid) and private payors are pushing for collaborative health care and the sharing of health care records amongst varying providers. Yet the possible HIPAA breaches increase with collaboration.
In April 2019, HHS randomly selected 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for Compliance Reviews. The CMS Division of National Standards, on behalf of HHS, has launched a volunteer Provider Pilot Program to test the compliance review process.
The Trump administration has interpreted HIPAA penalties differently than the Obama administration did. Now HHS will apply a different cumulative annual CMP limit for the four penalties tiers in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
There are four tiers of HIPAA violation severity outlined in the HITECH Act, based on the violator’s level of culpability:
Under the Obama administration, the annual limit for each tier was $1.5 million.
HIPAA penalties are appealable and with the disparate amount of penalties, it is well worth the time and expense to appeal.