The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently published its HIPAA Audits Industry Report for 2016-2017. Although the review took a while to become available for public consumption, it should still serve as a reminder that the long OCR audit cycles should not instill companies with false confidence that their HIPAA violations will go unnoticed. Considering this report, it is more important now than ever to realize the impact that fines and punishments can have on non-compliant businesses.
A 3-Year Cycle Audit
Most law offices and other HIPAA compliant businesses saw the OCR report emerge and felt a sense of relief washing over them. However, it is essential to realize that the OCR audit is simply an industry-by-industry review of problems that have been discovered. So, what does it mean? The goal of the audit is to show places of weakness in the industry. That way, businesses can look at their setup and determine what places them at risk for the future.
To be clear, the long cycle of the OCR audits should not lull companies responsible for HIPAA information into complacency. The fact that it takes so long does not mean businesses should not stop looking for HIPAA violations within their walls. After all, the OCR audit is just a single way that a company could be found non-compliant.
To be clear, a long audit cycle does not mean:
- No other audits are taking place on a company
- Those common issues mentioned in the audit are the only ones that need attention
Why Your Business Needs to Remain HIPAA Compliant
What happens if a business becomes complacent and does not develop its HIPAA compliance? When a company gets caught violating HIPAA regulations, the resulting punishments can be severe. They include:
- A minimum $50,000 and a maximum $250,000 fine for a willful violation of HIPAA
- Restitution to the victims
- Potential jail time depending on the case
Of course, there are provisions if an individual violated HIPAA due to a lack of training on the part of their company. These severe punishments are enough to individually impact the lives of workers and potentially sink a business.
How to Prepare: Your Company is Not Alone
Fortunately, companies that are counting on falling between an OCR audit’s cracks or simply lack the training to effectively implement HIPAA training in their workplace have options. Using managed service providers (MSPs), a company can hire field experts to audit their HIPAA compliance efforts. These MSPs can develop an action plan to help make a business compliant through training, software updates, and security.
Now is the time to start preparing for the next series of audits. While this year’s audit results might not be available for years to come, a company should always try to be proactive about protecting their customers’ information. Take initiative with this PDF featuring the Seven Fundamental Elements of an Effective Compliance Program.
Every business that interacts with HIPAA needs to be realistic about their capabilities and seek outside help if they cannot manage that responsibility. With such stiff penalties awaiting those who violate HIPAA, working to get in compliance now can prevent disaster down the road.