Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

Ready, Set, HIPAA Enforcement: 2017 is going to be a year to remember

By Danika Brinda  bio

HIPAA Data Breaches and HIPAA Enforcement were definitely off to the races in the first two months of 2017. While previous years have started slower and then gradually increased, 2017 proves to be on an advanced path.

2016 ended with a record year in HIPAA Data Breaches (329 Data Breaches greater than 500 Individuals) as well as HIPAA Enforcement Fines ($23.5 Million), but 2017 is off to a quicker start in both of those categories.

Data breaches

Remember that the government only posts details about the data breaches that impact 500 individuals or more. Here are some key facts to know about 2017 HIPAA Data Breaches through February 28, 2017:

  • 42 Data Breaches impacting greater than 500 Individuals have been reported
  • Unauthorized Access/Disclosure leads the Type of Breach Category with 17 (40%)—Hacking/IT incident comes in a close second with 13 (31%)
  • 312,827 Individuals have been impacted by the 42 data breaches
  • Unauthorized Access/Disclosure and Hacking/IT Incident account for 289,584 (93%) of the total individual impacted
  • Paper/Films places first for the location of data breaches with 10 (21%) with Network Server in second place with 8 (19%)
  • Largest Data Breach was from Emory Healthcare due to a Hacking/IT incident impacting 79,930 individual
  • California has had the most reported data breaches with 8, followed by Ohio with 4
  • Business Associates were only involved in 3 of the reported data breaches

So comparing what we are seeing in 2017 to where we were at the end of February 2016, we are slightly up on the number of data breaches greater than 500 individuals reported. The location of data breaches and type of data breaches remains consistent with what was seen in the beginning of 2016.

HIPAA enforcement

HIPAA Enforcement has been active in 2017 as well. We continue to hear about the HIPAA Audits with on-site audits starting some time in 2017 to 2018. You can prepare for your HIPAA audits by comparing your organization’s HIPAA policies and procedures as well as practices and safeguards with the HIPAA Audit Protocol.

HIPAA corrective action plans (CAP) with monetary fines have made a fast and furious start in 2017. In the first two months of the year, four HIPAA CAPs with monetary fines have been assessed resulting in a total $11.4 Million. In 2016 we only saw one HIPAA fine in the first two months of the year.

Of course, the monetary fines and CAPs are always concerning for organizations; however, your organization can learn from what others are being held accountable for. Review the information on the CAPs and see where the non-compliance with HIPAA occurred. Then, as necessary, make changes within your organization.

The main categories for the 2017 CAPs with monetary fines are:

  • Inappropriate delay in data breach reporting (reported after 60 days from the date of discovery)
  • Inappropriate implementation of information activities reviews
  • Inappropriate oversight into user set up and user management
  • Lack of implementation of encryption technology on mobile devices
  • Lack of current HIPAA Risk Analysis
  • Insufficient policies and procedures for HIPAA Compliance

Assess your HIPAA Compliance Program

Ask yourself a question: Do you view HIPAA as out of sight, out of mind in your organization? If the answer is YES, then now is the time to make a change. Implementing a strong HIPAA Compliance Program can help your organization.

A strong HIPAA Compliance program isn’t just about written policy and procedures that collect dust on the shelf. A strong HIPAA Compliance program consists of:

  • HIPAA policies and procedures
  • HIPAA Requests Forms for Patient’s Rights
  • A Complete Notice Of Privacy Practices
  • Established technical, physical, and administrative safeguards
  • Conducting a regular HIPAA Risk Analysis
  • Strong workforce education
  • Effective user management and oversight into systems with protected health information
  • Auditing practices for verification of compliance
  • Ongoing evaluation of current safeguards established by the organization

Let me know if you ever have any questions—anything HIPAA goes.

Until next time,

Editor’s picks:

HIPAA compliance audits: is your practice prepared?

HIPAA in 2017: Hot Topics You Can’t Ignore

Six HIPAA violations you may be missing









Try Premium Membership