Seriously, HIPAA Enforcement Really is Changing

HIPAA was a big scary thing in 2003 and it turned out to be nothing but a waste of my time and money.  Don’t try to scare me with that again.

I hear it often enough to feel pretty sure it is a belief many hold and only some voice.  Whether people say it outwardly or through their actions, it is clear that they plan to continue doing what they have been doing for 10 years which is not worrying about it too much.  There is data piling up, press releases going out and interviews announcing that it really is different now.  I have repeatedly mentioned information from those interviews and such.  Let’s talk numbers, hard data, not opinions.

The OCR chart below clearly shows a fairly steady rise in numbers relating to enforcement activities.  The only slight dip in the rise was in 2009/2011 when everyone was watching for the rules to change in HIPAA and Health Care as a whole.

HHS/OCR Resolution Activity

Total Resolutions in gold refer to the cases that have been closed (open cases aren’t reflected).  There are many ways a compliance complaint can be in the green Resolved After Intake and Review.  Maybe the party isn’t a CE or BA or the activity really has nothing to do with HIPAA rules or, maybe, it has been over 180 days since the person submitting the complaint knew about it.  No Violation is how everyone hopes a case can be resolved in blue.  Corrective Action Obtained is yellow and where you land if there is a problem.  Some are more serious than others but changes were required to resolve the issues found.

What do these numbers show us?

  1. Number of resolved cases are steadily going up
  2. Number of resolutions reached in the initial review has pretty much leveled out since 2007
  3. Number of No Violation findings has leveled out since 2008 and it may be beginning a downward trend
  4. Those dips in numbers apply to every column other than Corrective Action Obtained
  5. Corrective Action Obtained resolution cases continue to trend upward

Cases are going up, a lower percentage are closed without investigation, a lower percentage are closed with No Violation; and Corrective Action is required in a consistent or rising percentage of cases.

The ability to finally apply stiff penalties has just started to show up in the enforcement numbers, trending up financially as well.  Below is a chart showing the Civil Money Penalty resolutions. The outlier in this chart is the 2011 Cignet case resolution which included an extra $3 million fine for their refusing to cooperate with the investigation.  That worked out well for them, huh. When the extra penalty they received is taken out of the numbers you see a pretty consistent rising trend.  Especially, when you consider the ability to apply the new penalty structure didn’t fall into place until around 2010.  Over $14 million collected in 12 cases.

OCR Civil Penalty Resolutions

In a previous article, I discussed the findings of the OCR Audits.  They already have a good idea that the majority of the compliance issues are in small provider entities.  OCR now has the data and the ability to generate revenue off of those found not following the law.  Also, they are legally obligated to audit for compliance to further aid in enforcing the rules.

Importantly, many OCR statements show they just want to see you are trying to do what is right and follow the law.  Clearly, not worrying about it, as some have been doing, will not be considered trying to do what is right.  Devote time and resources to your compliance on a regular basis.  You just can’t ignore it anymore without someone eventually taking notice. Ignoring HIPAA obligations means willful neglect which means things won’t go so well for you either.

Many estimates put the average cost per record for a data breach at roughly $190.  If your practice stores data on 1,000 patients and you have a breach involving all of them, that comes to $190,000  just in dealing with the problem.  If, on top of that, you weren’t making an honest effort to protect those patients, then fines apply.  There are mandatory minimum fines that must be levied for non-compliance.  If willful neglect is involved you reach the highest level starting at $50,000 per violation.  Now, start doing that math and keep in mind they can count every day you weren’t compliant as a single violation.

Enforcement is changing.  The people say it and the numbers show it.  The reasons to make sure you are compliant go beyond just the fact it is the law.  The rules are designed to protect your patient’s information and by extension, your business.  Can you honestly afford to ignore all those numbers?

Filed under: HIPAA Tagged: Audit, Breach Case, Business Associates, Compliance, Enforcement, HIPAA, information hipaa, private patient, Small Provider