Compliance can be difficult for some businesses. They might know that it’s a necessity--and may even know what they have to do--but they just have trouble implementing practices that are designed to guarantee the meet their regulatory responsibilities. HIPAA and HITECH compliance laws in particular are difficult to navigate, and the results of failing to adhere to them can be dire.
Just a few years ago in 2016, the Office for Civil Rights (OCR) and the Department of Health investigated data breaches; the results of this investigation led to identifying several violations of these laws. A total of 12 settlements were the results of this investigation, as well as one civil penalty, that amounted to claims of approximately $25,505,300 in fines.
The numbers in 2017 are slightly more optimistic. This past year, there were only nine HIPAA settlements and a single monetary civil penalty paid totaling $19,393,000 in fines. While it’s clear that something is working, it’s not clear what exactly is or isn’t, but we know one thing for sure. Businesses don’t want to pay money for failing to adhere to compliance laws, but this doesn’t stop everyone from meeting their requirements.
The types of violations that led to these penalties aren’t particularly varied. Most of them stemmed from a failure to protect protected health information, or PHI, but there are a couple that come from different reasons. Here are a few other reasons:
- Insufficient ePHI access control
- Impermissible disclosure of ePHI
- Careless handling of PHI
- Multiple HIPAA violations
- Delayed breach notifications
- Lack of security management process
- Lack of a business associate agreement
Another notable trend can also be seen in the failure of organizations to secure their mobile devices in a way which complies with HIPAA and HITECH. Furthermore, there is also a failure to implement proper security processes and delaying notification of breaches at the heart of these fines.
Recently, a well-publicized lawsuit was filed in federal court against 60 Indian hospitals over a failure to adhere to the HITECH Act. These hospitals had allegedly failed to provide records and documentation for as many as 50% of their patients within three business days of the request. As one of the requirements of receiving funding from the HITECH Act, this is a big issue for hospitals.
As a result of these failures, these hospitals face charges of well over $1 billion for failing to provide healthcare documents when asked to produce them. They obtained $324 million through the HITECH Act, but failed to adhere to its laws. Additionally, the hospitals violated the Anti-Kickback Statute and the False Claims Act for claiming falsely that they met the requirements of the HITECH legislature.
While it’s true that not all businesses need to consider healthcare compliance, it’s more likely than not that your organization works with some sort of sensitive information that is subject to compliance laws. To find out now if your organization is in trouble with compliance laws, reach out to us at (703) 821-8200.