Share this article on:
What steps are U.S healthcare organizations taking to ensure HIPAA Security Rule compliance? How well are HIPAA rules understood? Are healthcare providers actually now compliant with HIPAA Rules?
These questions will naturally be answered when the Office for Civil Rights compliance audit program recommences early in 2016. In the meantime, SecurityMetrics – a Utah-based merchant data security and compliance company – decided to get some answers now and conducted a survey of health IT professionals to gain a better understanding of the general state of HIPAA compliance among healthcare organizations.
Attitudes on HIPAA-Compliance Probed
Security Metrics compiled a survey to probe attitudes on common patient health data protection issues, network security measures used to safeguard data, and other security issues such as Wi-Fi encryption. The aim was to gain a better understanding of the efforts U.S healthcare organizations are making to comply with the HIPAA Security Rule.
Over 300 healthcare professionals took part in the survey and were asked over 40 questions relating to data security and patient privacy issues, as well as being asked to rate their own organization’s compliance efforts. The company’s report provides some insight into the general state of HIPAA compliance. Some of the key findings of the report have been listed below:
- 10% of respondents indicated their organization did not plan to achieve full HIPAA-compliance status
- 20% of C-Suite staff did not plan to follow all HIPAA Regulations
- 77% of Organizations provided Security Rule and Privacy Rule training to staff, yet, to 10% said their staff received no HIPAA training whatsoever.
- 60% of compliance officers and health IT professionals said their organization had developed a Risk Management Plan
- Only 63% of healthcare organizations were currently encrypting Protected Health Information stored on work devices
- Confidence in compliance efforts was high, with 80% believing their organization was HIPAA-compliant, although only 76% of risk and compliance officers believed that their organization would actually pass an OCR HIPAA-compliance audit.
- Most of the IT professionals’ and compliance officers’ answers revealed their organizations were not actually fully compliant with all aspects of the HIPAA Security Rule.
According to SecurityMetrics HIPAA Security Analyst, Brand Barney, “The healthcare industry is significantly less secure than executives think.”
Fortunately, with at least two and a half months to go until the second round of HIPAA-compliance audits start, there is still time for healthcare organizations to address risks and achieve full compliance status. Based on the results of the surveys, a small percentage plan to do very little. For those companies, if they are selected for an audit, they could be in for a rude awakening, and potentially a very costly one. If they escape an audit, the next data breach suffered could still see considerable costs incurred.
What are those costs? SecurityMetrics pointed out that in addition to an OCR HIPAA fine of up to $1.5 million, per violation category, per year, the costs that could potentially be incurred include:
- State attorneys general fines in the region of $150,000-$6.8 million
- Federal Trade Commission Fines of $16,000 per violation
- Credit monitoring services for data breach victims at $10 per individual
- Approximately $1,000 per breach victim if a class-action data breach lawsuit is successful
- Loss of patients – Which could be as high as 40%
The full HIPAA Security Rule Compliance Report can be downloaded here.