If the last several weeks are any indication, HHS' Office for Civil Rights will likely step up HIPAA audits and enforcement actions against covered entities in 2016.
In a guest post for Healthcare Info Security, David Holtzman, vice president of privacy and security compliance services at information security consulting firm CynergisTek and former senior advisor for health IT on the health information privacy team at HHS' OCR, said the agency's latest settlements suggest the OCR will be more vigilant about audits.
In December alone, OCR announced three monetary settlements with HIPAA covered entities: Lahey Hospital and Medical Center in Burlington, Mass., agreed to pay $850,000 to settle potential HIPAA violations; a Puerto Rico payer agreed to pay $3.5 million — the second largest HIPAA fine ever — to settle violation allegations, and University of Washington Medicine in Seattle agreed to pay $750,000 to settle violation allegations.
"I expect the agency will announce more high-profile enforcement actions in 2016, and then use any financial penalties collected to fuel beefed-up enforcement," Mr. Holtzman wrote.
In September, the OCR awarded a $770,000 contract to FCI Federal to conduct audits of up to 250 covered entities to measure their HIPAA compliance, but Mr. Holtzman said the contract is too small to conduct any action outside of asking organizations submit documentation outlining their policies and procedures. He expects money collected from the new settlements will fuel a larger audit program.
More articles on HIPAA:
Who are the biggest repeat HIPAA violators? ProPublica reveals top 10
ProPublica launches HIPAA Helper database to search breaches by providers
Confidence, compliance and the cloud: 6 lessons learned from a HIPAA audit