Frequency of HIPAA Enforcement to Increase 

At a recent American Bar Association Conference, Jerome B. Meites, a chief regional civil rights counsel at HHS, made the remarks that the past 12 months of enforcement will likely pale in comparison to the next 12 months.

The coming year will witness especially aggressive punishment of privacy breaches and security lapses under the Health Insurance Portability and Accountability Act. This is significant because since June 2013, the Obama administration has extracted more than $10 million from various entities for alleged HIPAA violations, among the largest hauls in any yearlong period.

“Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Meites said.

Separately, Meites said that the OCR is continuing to winnow down a list of 1,200 companies that were identified earlier this year as potential candidates for a new round of HIPAA audits, which were temporarily halted after federal funding dried up in 2012. Two-thirds of that initial pool consisted of so-called covered entities — providers, insurers and clearinghouses — while the remaining one-third included so-called business associates that may store or process the protected health information maintained by those entities.

Meites also offered a few words of advice for HIPAA compliance:

The ongoing need to find ways to better secure laptop computers and other portable devices that carry patient information and frequently are stolen or lost.

  • The failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the relatively few cases in which breaches actually resulted in financial settlements and not just corrective actions.

How Medical Risk Institute can help: