HIPAA Compliance in Chicago
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. In recent years, attacks and breaches of Electronic Protected Health Information (ePHI) have been on the rise and in the news. The number of complaints rose steadily from 6,500 in 2004 to just under 13,000 in 2013 alone.
Our security team specializes in helping SMB and Mid-Market healthcare organizations assess and manage risk according to HIPAA requirements. We can help your organization reduce the risk of a security breach.
In response to this trend, in 2011 the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has established a formal audit program in addition to their online complaint portal. This has allowed the OCR to streamline its audit efforts on a wider scale. The first phase of audits took place during 2011 and 2012 involving 115 covered entities. The second phase started in the fall of 2014 and will run through 2016.
This more robust audit program has a goal of securing healthcare organizations via risk assessments.
Equilibrium is well versed in the HIPAA-required risk assessment approach. The HIPAA Security Rule requires that organizations implement security controls that are "reasonable and appropriate" in order to protect the organization's ePHI. Organizations must first select their set of controls based on the outcome of a risk assessment. Then, as part of their security program, they must practice ongoing risk management to oversee that the controls are operating effectively.
Now is a great time to review your HIPAA compliance to get a step ahead of the Office of Civil Rights' audit program.
HIPAA was modified by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, and more recently by the HIPAA Omnibus Rule in 2013.
HITECH contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. It also imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI."
HIPAA Omnibus Rule
The HIPAA Omnibus Rule included many changes including these two examples:
- Created an increased and tiered civil money penalty structure for security breaches
- Made business associates of covered entities and their subcontractors directly liable for compliance with certain HIPAA Privacy and Security Rule requirements
Consequences and Fines
About 66% of HIPAA violation investigations end up requiring corrective action such as fines. The violations which make the news involve a settlement typically between $250,000 and $4,000,000. Since 2009, civil penalties have been a wide range of fine amounts anywhere from $100 to $50,000 per instance.
Criminal penalties result from willful violation and/or intent to sell information. These fines range from $50K to $250K including 1 to 10 years of prison time.
EQ Whitepaper: HIPAA Compliance
All proactive measures with your HIPAA compliance start with a risk assessment. Equilibrium's security practice can help.
Don't wait another minute. Contact Equilibrium to get your HIPAA compliance questions answered.