Share this article on:
Over the past 12 months the number of reported violations of Health Insurance Portability and Accountability Act (HIPAA) regulations has skyrocketed. The Department of Health and Human Services has seen a substantial increase in late 2013 with the upward trend continuing in 2014 according to a recent data analysis.
Year on year figures show HIPAA complaints have increases by 45.7% with 6,701 complaints received up until May. Not all cases have resulted in action being taken against the organization concerned although a relatively low number – 14% – resulted in no action being necessary. However, although out of the cases which were investigated, 26% called for HHS action to be taken.
The rise in HIPAA complaints can be attributed in part to increased public awareness of data security laws. High profile thefts and data breaches have been headline news in recent months and the reporting of compliance issues is being encouraged. The introduction of new legislation and regulatory changes have also played a part, and the widespread use of mobile devices in healthcare creates many new potential holes in security which cybercriminals can exploit.
Another reason for the increase is enforcement of the Omnibus Final Rule which introduced new financial penalties for business associates who failed to comply with HIPAA standards. The inclusion of business associates under HIPAA has increased the number of reported violations as some associates failed to take sufficient action and become HIPAA compliant after changes were made to the law.
The government is taking a hard line on offenders and is running random audits to ensure HIPAA compliance. The audits were first introduced last year and are expected to continue into 2015. Healthcare organizations can expect a more aggressive approach from the government in months to come and compliance documentation will come under greater scrutiny.
Under the Omnibus Rule, organizations can expect much stiffer penalties for HIPAA violations with the Department of Justice becoming involved with any data breaches believed to involve criminal activity. Any patient affected by a data breach is entitled to take legal action to recover damages for loss and suffering, while complaints made to the government are followed up and action taken against offenders.
The rise in the use of mobile devices and extent to which data is stored and transferred in patient management requires safeguards to be implemented to ensure compliance and reduce security breaches. Password protection, data encryption, remote erasing of lost mobile devices and secure messaging services can all be used to reduce risk, ensure compliance and keep PHI safe and away from prying eyes.