The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is launching a pilot program this month to make sure covered entities are in compliance with HIPAA privacy and security rules and breach notification standards, according to the OCR. The OCR will perform up to 150 audits to assess HIPAA compliance.
The HITECH Act requires HHS to perform periodic audits to check for HIPAA compliance. The audits will be conducted from November 2011 through December 2012. Initially these audits will likely focus on hospitals and insurance companies, but HMEs could also be a target.
Though early audits are likely to be educational, in order to get a basic assessment of where providers stand in regards to HIPAA, that doesn’t mean there won’t be repercussions for violations. Because the privacy rule has been established since 2001 and the security rule has been established since 2003, providers can not be completely excused for missteps.
HIPAA violations can result in severe penalties (per section 1177 of HIPAA) including:
• a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)
• if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)
• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
• Civil fines can also be imposed by the Secretary of DHHS with a maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year. (Class 3 Felony).
Since the final rule for the HITECH Act hasn’t been finalized, the OCR can only expect providers to make decent judgments about the provisions in the interim final rule.
Providers need to review where they’re at with privacy and security compliance and make any improvements. This pilot program of audits will likely be expanded (and the more violations the OCR encounters, the larger the likelihood of strict enforcement), so all providers should be aware of current practices and how to ensure compliance.