Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant, and regulatory expert, about HIPAA enforcement projections for agents and brokers in 2021. They spoke about HIPAA enforcement under the new administration and how to protect your business against breaches. You can listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read the summary below.
Broadening HIPAA Enforcement Expected
While the previous administration did take steps to limit HIPAA-related penalties and other federal regulations through executive orders, 2020 was a banner year for HIPAA enforcement. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) settled a whopping 19 HIPAA violation cases. The total amount of financial penalties issued in 2020 was more than HHS had issued in any previous year.
Although HIPAA-related penalties went up in 2020, most of them were large fines directed at big corporations, with few small offender fines. There were, however, a handful of small companies and providers that were met with significant penalties.
We expect OCR to continue cracking down on HIPAA violations by smaller offenders. Instead of focusing on large, headline-generating fines, OCR will be increasing enforcement across the board. If you are a small insurance agent thinking, “They won’t come after me. They’re busy monitoring and penalizing large carriers,” think again. With enforcement efforts increasing, being noncompliant leaves you vulnerable to breaches and dangerous fines.
A large fine can do a lot of damage, leading to loss of business, employee trust, and client confidence, especially in the case of incidents that receive major media attention. Your company may also incur the cost of legal fees and client protection services, like credit monitoring.
OCR is projected to increase crackdowns on companies who experience breaches in 2021. This increase in enforcement may partially stem from a massive breach that occurred in December 2020. The cybersecurity incident occurred after SolarWinds, a third party vendor widely used across the federal government was found to be the victim of a sophisticated hacking campaign. This, along with the increased attention OCR is devoting to breaches of all sizes, is going to result in more stringent enforcement.1
State Level Enforcement
In the last several years, additional state regulations designed to strengthen the protection of consumer information have also become law. The California Consumer Privacy Act and the New York State Financial Services Department Regulation both introduced requirements for Covered Entities that are more stringent than HIPAA. Some of these regulations include requiring the use of multi-factor authentication and strengthening cybersecurity incident notification rules.
These states will continue to pursue HIPAA enforcement while also cracking down on entities that violate their even stricter state regulations. More states will follow by adopting similar laws. This trend is sure to continue over the next few years, so it’s best to adopt good security practices now so you’re prepared for the future.
HIPAA Enforcement in 2021: Conclusions
The new administration will likely be adding a renewed emphasis on HIPAA Privacy and Security. Under the Obama administration there were several key changes to the HIPAA law, including stricter breach notification requirements, harsher penalties for noncompliance, and required auditing. We expect the Biden administration to put a similar emphasis on breaches and their enforcement, taking an increasingly aggressive approach.2
For this reason, it is more important than ever to achieve and maintain HIPAA compliance. It’s not worth risking a breach and possibly your business. Be sure to implement good security practices that reflect the state of your business and current technology. These practices may include using an email encryption provider, or retiring old systems that Microsoft is no longer supporting.
Remember, HIPAA compliance is not a choice. Ignoring these rules and regulations can jeopardize your business and your livelihood. Investing in HIPAA security practices like securing your network and business information will benefit you immensely in the long run. And once the process is implemented, maintaining compliance is a minimal cost and well worth the investment. Not to mention, it is required by law.
To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more. Our HIPAA Prime program does all this and more, ensuring compliance for your business.
To learn more, email firstname.lastname@example.org today. Or, get started here.