Information security director talks of increased HIPAA enforcement

An article over at Healthcare IT News titled Get set: New HIPAA has teeth gives insight into the increased HIPAA enforcement that is looming.

Diana Manos interviewed Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin for the article. Rey provides some insight into some of the changes that the HIPAA Omnibus Rule presents and some recommendations to help with compliance.

The HIPAA Omnibus Rule went into effect on March 26, 2013 and covered entities and business associates have 180 days to comply. Rey warns not to be lulled by the 6 month delay in enforcement

Providers and their vendors and subcontractors have “in theory,” 180 days to comply before the Office for Civil Rights begins enforcement of the Omnibus Rule, beginning Sept. 23, 2013, Rey warns. But this doesn’t mean providers shouldn’t beware. They still will be held accountable under the old HIPAA rules until then, he says.

Enforcement increasing

Rey goes on to warn that OCR has given notice that they are serious about HIPAA enforcement.

According to Rey, OCR has already prosecuted five covered entities, with the settlements ranging from $50,000 to $1.7 million. The smallest OCR enforcement action involved the breach of fewer than 500 records. “I think they are putting out the message that they are serious about enforcement. They are going after small and large cases,” Rey says.

He also warns that OCR is stepping up their enforcement efforts

He said he had received emails from OCR indicating the agency is starting to hire enforcement officials. “There’s going to be a lot of enforcement going forward,” he says.

Good advice

Rey provides good advice for all covered entities and business associates and especially smaller provider groups.

“Don’t take this lightly. The main reason covered entities ran into big problems with OCR last year, was they didn’t conduct risk assessments,” he says. “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.”

He also recommends implementing encryption and protecting servers

Encrypt data in laptops and determine if data might best be kept safer in a centralized location. He points out that PCs and servers are also vulnerable to breaches.

Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information. Download our free guide to better understand the HIPAA Risk Assessment process.