Increased enforcement of Health Insurance Privacy and Portability Act provisions by Health & Human Services’ Office of Civil Rights is resulting in ever-larger monetary settlements.
And according to HR and benefits consultant Buck, that’s due to a lack of compliance and preparedness on the part of organizations. In fact, according to its 2019 HIPAA Readiness Survey, a substantial percentage of firms fail to successfully follow HIPAA privacy and security policies, resulting in breaches that could let those firms in for substantial penalties.
Among other failings, the survey reveals that 42 percent of survey participants did not know when a risk/threat analysis was last conducted, or said it had been conducted one more than five years ago—this in spite of the fact that best practices dictate such an analysis be performed annually, particularly in this age of cyberattacks.
In addition, 33 percent of survey respondents either have not inventoried their business associates or didn’t know if they have done so; 16 percent lacked current business associate agreements, or didn’t know if they had them. That could leave them on the hook in the event of a breach, particularly since the breach notification rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.
And more than a third—35 percent—said the last time they offered HIPAA training was between one and five years ago, while 13 percent only provide training during onboarding and 10 percent didn’t know the last time it had been provided.
And while 74 percent said they had policies and procedures in place in the event of a breach notification, 10 percent said they didn’t.
Firms eager to protect themselves should remember that lack of a formal written risk analysis may result in a breach deemed as willful neglect, and that breaches considered as willful neglect carry the highest fines. It adds that an essential component of HIPAA compliance is an up-to-date risk/threat assessment to identify key IT security weaknesses.
Other problems identified by the survey include the fact that just 39 percent of respondents had updated their privacy and security policies and procedures in the last year. Firms failed to adequately communicate documented policies and procedures, which resulted in failure to follow them. They also failed to maintain records of individual training completion.
“Strong governance is essential to protecting information,” says Laurie DuChateau, U.S compliance consulting practice leader at Buck. “It’s risky for group health plan sponsors to be unprepared for a HIPAA audit or investigation as penalties for non-compliance can amount to millions of dollars.”