If a covered entity or business associate fails in complying with HIPAA rules, OCR is authorized to impose fines for HIPAA noncompliance – whether there’s no PHI breach or complaint.
Following a great deal of delay, OCR is currently doing the second stage of HIPAA compliance audits. The purpose of the audits is not specifically to discover HIPAA violations and to give financial fines, even though serious HIPAA Rules violations are identified, financial penalties might be considered proper.
The initial stage of HIPAA compliance audits was done in 2011/2012 and showed a lot of covered entities were having difficulties with compliance. OCR made available technical support to assist those entities to fix non-compliance areas and did not issue any penalties for HIPAA violations.
Now, after 5 years, covered entities had enough time to establish their compliance programs. So, OCR is not likely to be very lax.
One of the greatest areas of HIPAA Rules noncompliance identified in the initial phase of compliance audits was the inability to do a detailed, company-wide risk evaluation.
The risk evaluation is essential to establishing good security standing. When a risk evaluation is not performed, a covered entity won’t know if there are any security vulnerabilities that present a risk to the availability, integrity, and confidentiality of ePHI. Consequently, those risks won’t be handled and minimized to a tolerable level.
The fines for HIPAA violations released by OCR indicate just how typical risk evaluation violations happen. Risk evaluation violations usually attract financial fines.
The inability to sign Business Associate Agreements (BAAs) with third-party companies can get penalized for HIPAA noncompliance. Many covered entities were penalized for not revising BAAs written prior to September 2014, when the Final Omnibus Rule invalidated all active contracts. In September 2016, the Care New England Health System got penalized $400,000 for HIPAA noncompliance and the inability to modify a BAA formerly signed in March 2005.
BAAs are a crucial matter that OCR is going to monitor all through its audit process. BAAs, the agreements that set down the allowed uses and disclosures of PHI, ought to be entered into every third-party service company that gets access to PHI (which includes attorneys).
Penalties for HIPAA violations
When determining a suitable settlement, OCR looks at the seriousness of the violation, the scope of HIPAA Rules non-compliance, the number of people affected, and the effect of a breach on those people. OCR additionally views the financial standing of the covered entity. The punitive action may be required, however, fines for HIPAA violations shouldn’t force a covered entity out of business.
The goal of these fines for HIPAA violations is partly to penalize covered entities for major HIPAA Rules violations, however, the goal is also to show other healthcare companies that it is not acceptable to violate the HIPAA Rules.