The healthcare industry should expect to see ramped up enforcement of HIPAA as security breaches of electronic and even paper patient protected health information continue to plague covered entities and business associates, according to Iliana Peters, senior adviser at the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) for compliance and enforcement.
"If you have a breach and you have your ducks in a row and have done a comprehensive and enterprise-wide risk analysis, we will do our best to work with you to remediate the issues and move on. But if there are a whole bunch of problems, then we can't walk away," Peters warned at the seventh annual conference on health information security in the District of Columbia; the gathering was cosponsored by OCR and the National Institute of Standards and Technology.
There have been almost 1,200 reports of security breaches of 500 or more patient records reported through the end of August, as well as 122,000 breaches affecting fewer than 500, Peters said. Breaches involving information technology and hacking are also on the rise. A breach at Community Health Systems--likely thanks in part to the computer bug Heartbleed--allowed hackers to gain access to data of more than 4.5 million patients.
OCR's complaint load continues to increase, and the agency reviews each one. "People still remain incredibly concerned about the privacy and security of their data," Peters said.
In June, FierceHealthIT reported that the OCR's crackdown on HIPAA violations over the past year will "pale in comparison" to the next 12 months, according to a U.S. Department of Health and Human Services attorney.
Peters did not specify when phase two of HIPAA's audit program will go live, but said that OCR hopes to implement it "soon." Earlier this month, officials announced that the launch date would be pushed back as OCR continues to work on protocol and technology updates so it can better receive information from auditees.
"There are no bombs today," Peters said.
The permanent audit program, required by the HITECH Act, will look somewhat different from the pilot program in that most of the audits will consist of desk audits and the audits will be more proactive, not just complaint driven. Moreover, only what organizations submit the first time will be analyzed. Peters suggested that entities avail themselves of guidances and tools the OCR and others have published, train their workforce in HIPAA compliance, and take other steps to protect patient information.
"Settlements and money penalties are never off the table," she said.