Growing HIPAA enforcement suggests that the government thinks providers who are “working on” HIPAA policies and procedures should know better.
Many organizations seek comfort in the fact that they are “working on” HIPAA Privacy and/or Security policies and procedures, and are hopeful that if they are audited or have a complaint, the government “will go easy on them.” The truth is that the government has high expectations for HIPAA compliance, and little patience for providers’ slow or incomplete efforts to implement HIPAA security measures - and has recently come down hard on providers whose HIPAA compliance efforts were in progress.
The Example.A health services company was investigated after an unencrypted laptop was stolen. The OCR found that the company had conducted security risk assessments and identified that lack of encryption was a risk. The company had started to encrypt, but had not yet finished. The OCR imposed a $1,725,220 penalty.
Likewise, a health plan was investigated after an unencrypted laptop was stolen. The company encrypted their devices after the breach—but it was too late. The OCR found a pattern of HIPAA noncompliance going back to 2005.
In other words, “we’re working on it” or even “we just did that” are not effective defenses.
What You Can Do.Make HIPAA risk assessments, policies, procedures, and training an immediate priority. Everyone working in health care is busy—but the government does not see that as an excuse. Consider sharing penalty examples with leadership, in order to motivate your organization to stick to a quick timeline for addressing HIPAA.