The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) is responsible for enforcement of the HIPAA law. These enforcements aren’t all just “guidelines” however. OCR began enforcement efforts in earnest in 2011. Since then, the amount of resources dedicated to HIPAA enforcement has increased. So have the number of HIPAA audits, correction action plans, resolution agreements, and civil money penalties. To determine the plan and penalties for any violations found during the audit, HHS uses the following categories as guidelines:
Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
Based on the most common problems found during HIPAA audits, these are the Hot Buttons that HIPAA auditors look for:
• Device encryption
• Workforce education and training
• Updating of policies and procedures
• The elimination of old data
• Security risk assessments
• Risk mitigation plans
• Vendor management
Be sure that you are keeping your compliance plan current.
Be sure you are training your staff regularly.
Be sure to address the Hot Button issues shown above.
Be SMART about your HIPAA Compliance!