While you’re busy preparing for the upcoming HIPAA audit, here’s an important question that you need to address: What determines the size of the penalty for violating HIPAA rules? According to Leon Rodriguez, director of the Department of Health and Human Services’ Office of Civil Rights, two key factors play a role in determining the penalty– Firstly, the lack of a timely risk assessment, and secondly, the failure to address ongoing security issues.
Speaking at the security conference hosted by OCR and the National Institute of Standards and Technology in Washington on May 22, Rodriguez pointed out that failure to take action quickly ratchets up the penalties. Highlighting the $1.7 million settlement with the Alaska Department of Health, he said that a relatively small breach incident in this case uncovered bigger issues which led to a huge fine.
Cignet Health was issued the largest non-compliance penalty of $4.3 million for refusing to provide patients with medical information, and later refusing to cooperate with investigators. HIPAA violation has led to monetary penalties in 13 cases as of now, with the latest penalty of $400,000 announced last week for a breach at a clinic owned by Idaho State University.
The fines and penalties issued so far to non-compliant healthcare entities clearly reveal the seriousness of OCR’s HIPAA enforcement efforts. It was noted in last year’s pilot HIPAA compliance audit program that the lack of updated risk assessments was a commonly seen problem across healthcare entities.
Therefore, Rodriguez’ advice for your entity is to be smart, to implement best practices and conduct risk analysis not just once, but on an ongoing basis. So if your entity is not already compliant, it’s about time you make efforts to comply with HIPAA, update your compliance training, and conduct a comprehensive risk assessment as a first step in that direction. Adopting Aegify Security Posture Management and Aegify SecureGRC can prove beneficial if you wish to give your entity a security advantage. With a comprehensive information security and HIPAA compliance framework, this platform can keep breaches away and help avoid HIPAA penalties.