IPswitch conducted a recent survey of 100,000 end users who were asked about their most challenging compliance issues. According to the survey, compliance with the Health Information Portability and Accountability Act (HIPAA) was the clear winner for the top spot. Of the 100,000, 38.2% chose HIPAA and second place came in at 29.3% held by Sarbanes Oxley Act (SOX). The next closest competitor for IT concern was compliance with the Federal Information Security Management Act (FISMA) at a mere 9.2.
Let’s focus on HIPAA for this entry. Why are so many concerned about HIPAA? I think this is actually simpler than you might imagine. First of all, the law is ambiguous and almost always changing through interim final rules and final rules being released by the HIPAA regulatory body, HHS. Second, in the past, HIPAA was known as a paper tiger. It roared a whole bunch, sat up in an attack posture and made threats of a punishing result for those who failed to comply. The penalties were maxed at low enough numbers and patients were not allowed individual actions, so that the ROI on compliance simply didn’t make sense. To spend potentially hundreds of thousands of dollars to defend against much lower potential exposure was not an easy sell.
Now, add that prior to the February 2009 passage of HITECH, there were no significant enforcement actions taken between HIPAA’s passage in 1996 and 2009. The utter lack of knowledgeable talent who fully understand the HIPAA Privacy and Security Rules was/is also a problem. After HITECH, there have been several significant penalties levied for failure to comply. These penalties were in excess of a million dollars and one this year was 4.3 million. Believe it or not, in a few cases, people are being sent to jail.
BEWARE…In addition, the liability to individuals and Business Associates used to be limited and corporate officers, managers and others could ignore the regulation with impunity because they knew their company would cover them. Business Associates could just sign an attestation that they would take care of the data they possessed. Today, those Business Associates must comply with the same rules as the Covered Entity and civil & criminal penalties can be levied on individuals for willful neglect or malicious actions. The days of ignoring HIPAA have passed. If you don’t take it seriously you may well find yourself on the wrong side of a prosecution, civil penalty or civil lawsuit.
If you would like to know more about how HIPAA has changed, how it might apply to you, or need assistance, please feel free to call us at 949-428-5000 and ask for Kevin McDonald.