an essential component of HIPAA compliance is an up-to-date risk/threat assessment to identify key IT security weaknesses. (Image: iStock)
Increased enforcement of Health Insurance Privacy and Portability Act provisions by Health & Human Services' Office of Civil Rights is resulting in ever-larger monetary settlements.
And according to HR and benefits consultant Buck, that's due to a lack of compliance and preparedness on the part of organizations. In fact, according to its 2019 HIPAA Readiness Survey, a substantial percentage of firms fail to successfully follow HIPAA privacy and security policies, resulting in breaches that could let those firms in for substantial penalties.
Among other failings, the survey reveals that 42 percent of survey participants did not know when a risk/threat analysis was last conducted, or said it had been conducted one more than five years ago—this in spite of the fact that best practices dictate such an analysis be performed annually, particularly in this age of cyberattacks.
In addition, 33 percent of survey respondents either have not inventoried their business associates or didn't know if they have done so; 16 percent lacked current business associate agreements, or didn't know if they had them. That could leave them on the hook in the event of a breach, particularly since the breach notification rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.
And more than a third—35 percent—said the last time they offered HIPAA training was between one and five years ago, while 13 percent only provide training during onboarding and 10 percent didn't know the last time it had been provided.
And while 74 percent said they had policies and procedures in place in the event of a breach notification, 10 percent said they didn't.
Firms eager to protect themselves should remember that lack of a formal written risk analysis may result in a breach deemed as willful neglect, and that breaches considered as willful neglect carry the highest fines. It adds that an essential component of HIPAA compliance is an up-to-date risk/threat assessment to identify key IT security weaknesses.
Other problems identified by the survey include the fact that just 39 percent of respondents had updated their privacy and security policies and procedures in the last year. Firms failed to adequately communicate documented policies and procedures, which resulted in failure to follow them. They also failed to maintain records of individual training completion.
"Strong governance is essential to protecting information," says Laurie DuChateau, U.S compliance consulting practice leader at Buck. "It's risky for group health plan sponsors to be unprepared for a HIPAA audit or investigation as penalties for non-compliance can amount to millions of dollars."
Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Marlene Satter
Marlene Y. Satter has worked in and written about the financial industry for decades.
