<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
SCHEDULE A CALL
Show all

HIPAA Enforcement: The future of HIPAA penalty caps and limits, and regulatory actions on failure to comply with breach notification rules

Caps on HIPAA penalties restrict OCR's ability to enforce proportionately

OCR Director Roger Severino said at the 2018 HIPAA NIST/ OCR conference, that it may be necessary for them to revisit the caps in HIPAA enforcement actions.  When asked about the inconsistency among different federal agencies on the amounts of penalties levied for data breaches, Director Severino said that having a consistency or standard among agencies may not be easy to accomplish.  On the HIPAA side, there are caps on the penalties that can be levied.  He admitted that it may be necessary to take another look at these caps to ensure fairness and proportionality for judgments.  If a company is so large that a multi-million dollar fine may not be a big impact for them, then the caps may actually be hindering OCR’s ability to impose an appropriate enforcement action on such a company.

HIPAA enforcement highlights

The OCR Director highlighted their recent HIPAA enforcement highlights and provided some details behind those cases.  Some of the cases he discussed were how one covered entity left unprotected medical records on an open truck, one entity mentioned a patient’s name on a press release, insufficient monitoring of logs to detect incidents and how film crews were allowed into a medical center without prior authorization.

$45, 360, 383 is the total amount collected by OCR in HIPAA enforcement actions from January 1, 2017 to October 15, 2018.  They have exceeded $100 million in collection amounts from 2008 onwards.

Regulatory actions against entities that fail to report breaches

When asked about the future of the desk audit program, Director Severino indicated that while they are pleased with the number of entities coming forward to report their breaches, OCR may now focus some energy on entities who have not reported their breaches in accordance with the breach notification rule. They may look into taking regulatory action against entities who do not report breaches as required.  

A note to all healthcare entities – If you suffer from a reportable breach, make sure you adhere to breach notification rules and procedures in a timely manner as dictated by law.

 

Healthcare Information is a precious resource 

Director Severino closed his address by saying that healthcare information is like a bar of gold.  There are bad people who want access to it. 

  • Store it in a safe place.
  • Put a perimeter of defenses.
  • Train your personnel.
  • Monitor your logs.
  • Do your risk analysis. 

 

New call-to-action

Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

December, 10 2024
November, 26 2024
October, 29 2024

Comments are closed.

Proposed HIPAA Law Changes
Enterprise-Wide Risk Analysis: How Non-Healthcare Organizations Can Learn From HIPAA
Subscribe to our Blog!