Despite significant penalties and fines, many businesses covered by The Health Insurance Portability and Accountability Act of 1996 (HIPAA) have yet to adequately ensure HIPAA compliance. That’s according to a series of audits conducted throughout 2012 by KPMG, on behalf of the Department of Health and Human Services (HHS).
The audits focused on key HIPAA compliance requirements, including the Security Rule, the Privacy Rule and the Breach Notification Rule. Emerging trends, both among health care professionals and the business world at large, make this less surprising than it might at first seem.
Mobile & Security Risks on the Rise
As of late 2011 an estimated 83% of physicians owned at least one mobile device and about one in four doctors were considered “super mobile” users who leveraged both smartphones and tablet computers in their medical practices, according to a survey done by QuantiaMD.
That number has undoubtedly continued to rise. Such devices often store data on the devices themselves, which are rarely well enough protected to be HIPAA compliant. Further, such devices are highly susceptible to loss or theft, adding additional security risk.
This, coupled with the increase in malicious hacking activity and the increase in health care data breaches noted in HHS’s ongoing breach tabulations, means ePHI (electronic protected health information) is rarely as protected as HIPAA compliance would require.
Audits on the Rise
Initial audits showed smaller providers are less likely to be HIPAA compliant—and the Office of Civil Rights, which oversees HIPAA compliance investigations, expects routine audits to commence this September. When that happens, many smaller providers may be hit with significant fines. The first settlement with HHS, in which an unencrypted laptop was stolen and 441 records were exposed, resulted in a $50,000 fine.
The Health Resources and Services Administration (HRSA) sets out guidelines for HIPAA compliance. Key among these are guidelines establishing policies and procedures for protecting ePHI and designating a security official to oversee them.
For more information on achieving compliance, please reference our prior blog post covering HIPAA compliance best practices.