Courtesy of the MalvernGroup posting service, an interesting source of info about heathcare IT issues that I monitor, here is a link to an interesting article about HIPAA compliance enforcement.
Here are a few things that I learned:
- there have been about 100,000 reports of compliance problems- but the vast majority of them have been resolved with what sounds like coaching and/or corrective action plans;
- the Federal agency that monitors HIPAA compliance, HHS Office of Civil Rights (OCR) is the primary agency that would be involved with a possible violation, but state agencies might also get involved;
- all of the disciplinary actions have been against organizations- no individual providers have been disciplined;
- all of the disciplinary actions have involved major, often repeated, HIPAA violations, with large numbers of patient records;
- the only violation that resulted in a fine was a case in which the organization was extremely out of compliance with HIPAA , and also refused to cooperate with the OCR investigation; and
- a significant number of violations involved situations in which the health care provider was actually in compliance but criminals hacked into the provider’s IT system and stole info.
My take away: individual and small practice providers who are trying their best to comply with HIPAA should not fret about the risk of a HIPAA violation. It is, of course, extremely importation to do our best in regard to complying with HIPAA.
You are welcome to forward this posting, and future posting from me on this blog, with attribution.
You are also welcome to pass info about this listserv on to others who might be interested in joining.
Richard Sethre, Psy.D., L.P.