Here at NeoCloud Consulting, we spend a lot of time thinking about HIPAA compliance. While the future of the ACA is being battled out in Washington, DC, HIPAA is not directly tied to the ACA and will not be affected by whatever that outcome may be. Compliance audits were at an all-time high in 2016 and we expect that trend to continue in 2017.
One visit to the Resolutions Agreements page of the HHS website will help you understand why we feel that way. The total fine settlements for 1996-2014 combined was $8M. In 2015 that total increased to $15M. In 2016 it increased to more than $26M. Already this year, less than a month into the year, there have been two fine settlements reached for a total $2,675,000. Clearly the trend is toward increased enforcement.
The current failure rate for HIPAA audits is a startling 70%. Patients trust their providers not only with their care but also with their personal information. HIPAA is meant to protect that information. A breach or audit failure not only costs a provider a large sum of money but also the reputation that they've worked so hard for.
Breaches can come in many forms - physical theft, hacking, improper disposal of records, phishing scams among them. A quick look at the HHS OCR Breach Portal is all it takes to realize how many exposure points there truly are. So what's a provider to do? The only way to protect your patients, protect your practice and protect your reputation is to have effective and up-to-date compliance and IT security programs.
The Office of Inspector General has published the Seven Elements of an Effective Compliance Program as a broad set of guidelines. You can have the most secure IT practices in the world but if you don't have the policies and procedures to back them up, your compliance program is incomplete. You can have the best policies and procedures but if employees aren't trained on them or proper training records are not kept, your compliance program is incomplete. Lastly if the proper IT security systems aren't implemented, your compliance program is also incomplete. Compliance and security are both on-going engagements, there is no way to simply implement either one and consider yourself HIPAA compliant.
So how do you know if you're covered? We're here to help! Please check our IT Checkup Checklist, HIPAA Compliance Checklist or just contact us directly to have a conversation about your gaps. We are uniquely positioned to offer not only fully managed IT services but also help protect your practice and reputation by offering complete compliance support services!