The Office for Civil Rights (OCR) has been busy enforcing HIPAA since the Privacy Rule came into effect in 2003. OCR has settled or imposed a civil money penalty in 55 cases resulting in a total dollar amount of $78.8 million in the last fifteen years. Many other investigations resulted in corrective action plans or technical help to bring the covered entity or business associate into compliance. Many simply didn’t have the tools to begin with.
OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
The Big Issues
The compliance issues investigated most are, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
A “HIPAA Compliant” EHR Program is Not Enough
Four out of the five issues named are not centered around electronic records but are related to the overall approach that depends on a “culture of compliance” within an organization. Do staff understand what kind of use or disclosure is permissible? Is the workforce trained in the meaning of the minimum necessary standard? When patients request their own PHI, do they receive it in a timely fashion?
A Complete Approach
The HIPAA E-Tool® has it all. Every Policy, Procedure and Form for the Privacy, Security and Enforcement Rules, a Risk Analysis module, and Workforce Training to help staff understand what they need to know to maintain a culture of compliance. Take action now to get in front of the issue, and don’t get caught short in case a complaint or investigation comes your way.
For more information see the Department of Health and Human Services Enforcement Highlights here.