HIPAA Compliance Training
Are Healthcare Providers Taking it Seriously Enough?
The Health Insurance Portability and Accountability, look or HIPAA, Act was passed in 1996. The Administrative Simplifications provisions in Title II of the Act lay down the guidelines for the handling and distribution of sensitive patient data. Recent prosecutions suggest that the stricter enforcement of these provisions may have caught some healthcare organizations napping.
Specifically, the privacy and security rules in the Administrative Simplification provisions clearly set out the requirements for the use and disclosure of protected health information and outline the safeguards that have to be applied to physical and electronic patient data for HIPAA compliance.
The legislation allows for civil and criminal charges to be brought against healthcare organisations that fail to comply with HIPAA requirements. In the years immediately after the enactment of the HIPAA legislation, covered entities were given time to put HIPAA compliance training in place to meet HIPAA requirements.
By 2005, all ‘covered entities’ (defined in the HIPAA legislation as health plans, health insurers and medical service providers) were legally required to be in compliance with HIPAA’s Privacy and Security rules. In reality, there were few prosecutions and little evidence of HIPAA enforcement on the ground. That changed in 2009 when the Health Information Technology for Economic and Clinical Health, or HITECH, Act was passed. This gave teeth to HIPAA provisions and increased the monetary penalties for non compliance.
The Office for Civil Rights, or OCR, in the Department of Health and Human Services began to enforce HIPAA privacy and security rules more vigorously after the enactment of HITECH. But are covered entities taking HIPAA compliance seriously enough? Recent high profile penalties imposed on healthcare providers would suggest that the answer is ‘no’.
In February 2011 a civil monetary penalty of $4.3 million was imposed on Cignet Health for alleged HIPAA violations and in the same month the General Hospital Corporation was fined $1 million for allegedly failing to put adequate safeguards in place to protect sensitive patient data.
Covered entities are required to have a procedure in place which shows evidence of ongoing HIPAA compliance training for all employees who handle patient health information. Such a training program should be designed and implemented by a Privacy Officer who has completed a course in the HIPAA Administrative Simplification requirements.
Indications are that enforcement of HIPAA privacy and security rules will become increasingly stringent in the months and years to come. Credible programs offering HIPAA compliance online training do exist and healthcare institutions that are lurching towards an inevitable clash with OCR regulators are just now coming to the realization that their time is almost up.