The Office for Civil Rights' crackdown on HIPAA violations over the past year will "pale in comparison" to the next 12 months, a U.S. Department of Health and Human Services attorney recently told an American Bar Association conference.
Jerome B. Meites, OCR chief regional counsel for the Chicago area, said that the office wants to send a strong message through high-impact cases, according to Data Privacy Monitor.
The Office for Civil Rights has been levying fines to make healthcare entities take notice: nine settlements since June 1, 2013, have totaled more than $10 million. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.
"Knowing what's in the pipeline, I suspect that that number will be low compared to what's coming up," Meites said in the article.
The OCR has said that when it resumes HIPAA audits this fall, the investigations will have a narrow focus and there will be fewer onsite visits. Meites told the American Bar Association that the OCR still has to decide which organizations it will select for an audit from a list of 1,200 candidates--800 healthcare providers, health plans or clearinghouses--and 400 of their business associates.
A report last December from the Office of Inspector General criticized the OCR's enforcement of the HIPAA provisions, including inadequate focus on system and data security.
Meanwhile, the total number of breaches on the U.S. Department of Health and Human Services' "wall of shame" topped 1,000 this month, with at least 34 breaches so far in June. The records of nearly 31.7 million people have been exposed since federal reporting was mandated in September 2009.
FierceHealthIT Editorial Advisory Board member David Harlow makes the point in a LinkedIn post that there is no one-size-fits-all HIPAA compliance plan--each organization must tailor its plan to its own privacy and security needs.