HIPAA: Ignore at Your Own Peril

December 6, 2017 Published Work
The Journal of American Academy of Clear Aligners

Dear Compliance Corner,
Does our midsize dental practice really have to take HIPAA seriously? Maybe I am worrying about this too much when we have other priorities to attend to. What is the likelihood that we would ever be audited or investigated for failing to implement HIPAA's requirements?

A HIPAA-chondriac

Dear HIPAA-chondriac,
Unfortunately, HIPAA enforcement has been on the rise and has recently become more aggressive than ever. If you had asked this question 10 years ago, I might have joked that your "HIPAA-chondriac" pen name was justified because there was little to no enforcement activity.

However, all of that changed with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, when the HIPAA enforcement authority of the federal and state government, and the fines for HIPAA violations, increased substantially.

Whereas enforcement used to be primarily complaint driven, the United States Department of Health and Human Services' Office for Civil Rights (OCR) now proactively investigates and audits compliance. While OCR traditionally resolved
investigations by merely requiring corrective action, it now imposes significant monetary penalties. Even a technical HIPAA violation could result in millions of dollars in penalties, even if there was no bad intent and even if, exercising reasonable diligence, the entity could not have known about the violation.

2016 was a record-breaking year in federal HIPAA enforcement activity. OCR entered into 13 resolution agreements for HIPAA violations. In comparison, there were only 6 OCR enforcement actions in each of 2015 and 2014. Moreover, OCR collected about $23 million in fines in 2016; the previous annual record was $7.4 million in 2014. In 2016, OCR also imposed the largest penalty ever assessed for HIPAA noncompliance when Advocate Health Care System agreed to pay $5.5 million to settle the government's allegation that it violated HIPAA by failing to adequately safeguard patient information. Advocate had self-reported the theft of 5 laptop computers and a breach of its patients' information by the contractor that was providing Advocate with consulting and billing services.

There have already been 9 resolution agreements in 2017, including a settlement for $5.5 million with Florida's Memorial Healthcare System. It might still be too early to tell, but so far, those hoping that HIPAA enforcement would slow down significantly under the Trump administration have been sorely disappointed—the majority of the 2017 settlements were announced after the appointment of new OCR director Roger Severino in late March.

To read the full article, please click the PDF link below.