How Will HIPAA Enforcement Change in 2017?

In March of 2016, the Health and Human Services Office for Civil Rights (OCR) launched into Phase 2 of HIPAA audits. One year later, experts have begun to speculate that these HIPAA audits will start to shift away from a purely educational focus, to one of enforcement. As healthcare IT continues to grow more complex with technological advancements being made each year, room for error and HIPAA vulnerabilities will also grow. In turn, we can expect to see OCR begin to take more steps to enforce HIPAA standards.

HIPAA Violation Fines Have Increased

Some evidence of OCR’s trend toward enforcement can be found in the increase of HIPAA violation fines. According to OCR’s website, 2016 saw a large jump in fines imposed for HIPAA violations, with a total of $23.51 million in penalties. By comparison, in 2015, OCR issued $6.19 million in fines for HIPAA violations, and in 2014 that number was $7.94 million. As further proof that OCR may take more steps to enforce HIPAA regulations in 2017, this year has already surpassed both 2014 and 2015, with fines totaling $11.375 million in January and February.

Onsite HIPAA Audits Are Coming

In addition to OCR’s trend toward more HIPAA-related penalties, 2017 will likely also mark the beginning of onsite audits; according to an HHS Office for Civil Rights official, OCR will be conducting a “small number” of onsite HIPAA audits this year. Up until this point, audits have all been remote, or “desk” audits. The number of onsite audits conducted in 2017 will be very small, but the shift toward in-person evaluations is further indication of OCR’s commitment to evaluating and understanding HIPAA vulnerabilities, as well as potentially enforcing penalties.

Business Associates Will Also Be Audited

Finally, a growing focus on Business Associate compliance will also shape the face of HIPAA audits in 2017. While the first phase of HIPAA audits focused solely on covered entities, the second phase has extended to also include Business Associates. A Business Associate (BA) is defined by the HHS as, “as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”  With OCR extending audits to BAs, it’s crucial that your organization only partner with those that are willing to sign a Business Associate Agreement (BAA) to signify their compliance with HIPAA standards. If a Business Associate can’t or won’t sign a BAA, they are putting your organization at risk of penalty. Whether it’s an e-prescription service, data storage service or online fax service for PHI, your organization should always demand a BAA before doing business.

Even though a BAA isn’t a guarantee of HIPAA compliance, it does indicate that your Business Associate is confident enough in their own compliance to assume liability. So if a prospective Business Associate won’t agree to signing a BAA, it indicates a lack of confidence in their own compliance standards; a Business Associate who won’t sign a BAA is asking to do business with you, while making your organization assume all of the risk.

What About the HIPAA Conduit Exception?

Unfortunately, the HIPAA Conduit Exception has been used by some cloud fax providers and other services to dodge the responsibility and liability that comes with signing a BAA. If your Business Associate is unwilling to sign a BAA, then they’re putting your organization at risk. Learn more about why the HIPAA Conduit Exception does not make providers HIPAA compliant.

What Does All This Mean for Your HIPAA Compliance?

With the changing landscape of HIPAA compliance audits, it’s more important than ever that your organization prioritizes self-auditing in 2017, so vulnerabilities can be detected and resolved. Additionally, with a shifting focus toward Business Associate compliance, be sure to steer clear of potential partners that won’t commit to signing a BAA. Even though OCR seems to be moving toward stricter HIPAA compliance enforcement, staying on top of auditing yourself and your Business Associates will ensure that your compliance is never in question.