- $125,000 HIPAA Settlement of Secure Disposal of Paper Medical Records - April 2015
- $150,000 HIPAA Settlement of Unpatched and Unsupported Software - December 2014
- $800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014
- Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014
- Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014
- QCA Settles HIPAA Case for $250,000 - April 22, 2014
Those sound like scare headlines from Healthcare Industry trade journals intended to boost magazine sales. They are actually the recent listings from the US Government's Office of Civil Rights (OCR) webpage describing recent HIPAA settlement examples. (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/)
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.
As of the end of May 2015, OCR has received over 115,929 HIPAA complaints and has initiated over 1,216 compliance reviews.
HIPAA is serious stuff.
Why is meeting this compliance requirement so hard?
Many would point to the vagaries in interpreting the legislation or the lack of clear guidelines about what compliance really means. But, in this case those vagaries were intended to allow many different organizations flexibility in their operations and not limit organizations to a rigid "box" - one size fits all. This really is beneficial, despite the pervasive message that there are no clear standards.
For most seasoned IT professionals, HIPAA really changes nothing: shouldn't we (and the company) always strive to do our best to protect the company's, and our client's (patient's) data? Shouldn't we already be safe-guarding our computers, servers and networks? Shouldn't we already have a contingency plan in the event something bad (system failure, breach or natural disaster, etc.) occurs? In my opinion, HIPAA simply mandates for Healthcare that which should be second nature to any organization anyway. Oh, and it mandates it with a little bite to go with the bark.
I find it difficult that any (or at least most) organizations purposely violate HIPAA (or most laws, for that matter). But it happens. Why?
Much of the problem may lie in a typical organization's inability to get all of the team operating on the same priorities and focused to both clearly and honestly understand the risks their organization may have. The culture in many organizations inhibit those who may fully understand the organizations weaknesses from fully communicating them. There may also be other projects or tasks that are seen as higher priority, so despite the knowledge, mitigation never gets the attention it needs. This is certainly not unique to Healthcare either (just ask Target or Home Depot about their data breaches).
Sometimes organization size plays a part: smaller organizations may feel their risk is less as they are less visible, less of an intrusion or audit target; larger companies often get lost determining who is accountable for what and it becomes very easy for no one to be accountable. Sometimes an organization finds it hard to begin the journey of identifying (preparing a required HIPAA Risk Assessment) and resolving issues because the journey seems too large to take on and still be able to maintain normal operations and budget.
What are the keys to getting control of HIPAA compliance?
The most critical initial step for success with HIPAA compliance is leadership support. Whether it is the Board or the owners, there has to be an acceptance of the need for compliance and the willingness to allocate resources to address issues.
This does not typically mean altering the focus of the organization, but it certainly means supporting a culture of awareness and supporting an ongoing effort to mitigate issues that are identified in a timely manner. It certainly includes training staff and having routine communication that honestly depicts the current security/compliance profile of the organization.
In most cases it is much easier to understand and improve risks by partnering with an outside organization whose only mission is to accurately report and assist with remediation. This is because most internal resources are influenced by some organization or peer pressure or have too many competing priorities. History has shown that it is very difficult for employees to identify and report bad news in an organization for fear of reprisal or a perception that they are not completing their job.
This has been known on the financial side of business for years - why do companies voluntarily pay for annual financial audits, even when they are not public companies? The audits, and partner firms, are the best mechanism for identifying (and in many cases assisting with resolving) risky or anomalous issues with finances. The outside audits are more widely accepted by those outside the company looking in. And, in most cases, your audit partner has your back if your reporting is called into question, as in a tax audit or court case. Why would a HIPAA (or data security) audit be any different?
The last key for success is the recognition that compliance and remediation is a journey and ongoing set of tasks, rather than a one-time task that you check off a list once completed. There are very few organizations that could produce a risk assessment identify no risks or areas for remediation. For most, the list may takes years to fully resolve (considering budget and resource constraints). Fortunately, the current legislation provides the latitude to remediate over time - they know the task is daunting for most organizations.
The power of Powernoodle and the Agile HIPAA AuditTM
It is hard to imagine the coordination and scope of a HIPAA compliance project truly being successful without some tool to assist. Medicalodges, a large skilled nursing provider based in Kansas understood this. They chose to utilize the Agile HIPAA AuditTM process, grounded in the Powernoodle platform, to include team members from outlying locations to get a full understanding of HIPAA compliance issues all over the company (something not feasible without Powernoodle and this process).
An application, especially Powernoodle, can dramatically increase the efficiency of identifying issues, ranking priorities, organizing remediation efforts, and providing up-to-date reporting and compliance status. By gaining insight from the complete organization and reducing the bias/groupthink that plagues many projects and decisions, as well as organizing remediation efforts into 90-day sprints, company leadership will see results in the first 90 days: improving processes and reducing compliance/security risks.
A cultural change will also occur from focusing and empowering employees and teams in as productive a manner as possible. Leadership may come to wonder why they aren't using Powernoodle for projects other than HIPAA compliance (which, as we all know, they can!)
Written By: Steve Arndt
If you would like to learn more about the Agile HIPAA AuditTM please contact firstname.lastname@example.org.