Enforcement of HIPAA/HITECH Breach Notification Rules and related regulations is being significantly stepped up. As a consequence of the new fines and penalties associated with the HIPPA/HITECH Privacy Rule, being prepared in advance for an audits is becoming increasingly critical for covered business entities.
Enforcement of the new HIPAA Breach Notification Rule is big deal. In the past, audits had been performed only at entities against whom a compliant has been filed. Under the new rule audits are called for whether or not a complaint against the entity has been lodged. This means that the HHS can show up at a covered entity’s door and perform an audit on short notice… and woe be it to the entity which is not ready.
If a business is not ready for such audits, it can be subject to new, significantly higher fines, including a mandatory minimum of $10,000 for willful neglect of compliance. These fines can, in fact, go up to $50,000 per day. All HIPAA Covered Entities and Business Associates need to be fully in compliance and prepared for an audit at any time, or risk the penalties for non-compliance.
In some cases, multi-million dollar fines are possible. Recent enforcement actions have included a one-million dollar settlement for a breach of only192 records, as well as another one a small, two-doctor medical office, which ended up entering into a $100,000 settlement with HHS over its lack of Security Rule compliance. It appears that the days of “slap-on-the-wrist” penalties are over and much larger fines and settlements are being levied, with more on the way.
The take-away for covered entities is that, if your compliance and audit preparation with respect to HIPPA/HITECH issues is not at 100%, now is the time to get them there! Before it is too late.