HIPAA Audit Changes May Be Coming

By Todd Sexton

There’s a lot of speculation about what the healthcare industry can expect in 2017. With the presidential election recently behind us and key positions throughout the government changing, privacy and security are likely to remain a hot topic. Tom Price M.D. was nominated as the United States Secretary of Health and Human Services (HHS). Secretary Price comes into office with a reputation of opposing government regulatory activity, which impacts the relationship between physicians and patients. The question on everyone’s mind is will we see continued strict enforcement of HIPAA compliance regulations, or will there be modifications?

Here's what we know:

• The healthcare industry, where comprehensive PHI data is found in abundance, has been one of the most targeted and compromised by data breaches.
• From 2013-2016 there were 245 million records breached in the medical sector alone.
• More than 80% of all of data breaches were through interior or exterior malicious attacks.
• More than 60% of all data breaches were utilized for the purposes of identity theft.
• 68% of worldwide data breaches occurred in the United States
• Mark Lanterman, C.T.O. of Computer Forensic Services, says he estimates there's a less than 1% prosecution rate of cyber security criminals due to jurisdictional challenges.
• The Office for Civil Rights (OCR) stated in 2016 they would ramp up HIPAA compliance audits, including those on Business Associates. This is unlikely to change, especially since the audits are essentially self-funded by fines the OCR collects from violations (an estimated $27M in 2016).

Even with the current administration's deregulatory mood, it's undisputed that data breaches across the U.S. are reaching epidemic proportions. This is particularly true in the medical industry, which has seen some of the highest data breach incident rates and lowest prosecution rates.

Industry experts speculate that there could be new regulations coming to enforce security protocols and tools to protect PHI data. The OCR is being self-funded through revenue from violations, so its continued push for new HIPAA regulations is unlikely to change. Many view the compliance audits as positively altering behavior to make the medical related professionals more aware of the risks.

For independent insurance professionals, staying proactive and hyper vigilant in the securing of client data is critical. This can be accomplished by a few simple changes. Utilize secure methods of transmitting, storing and destroying PHI and you will be on your way to becoming part of the solution instead of the problem.