Jason Karn, Total HIPAA’s Chief Compliance Officer, recently talked with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss HIPAA enforcement projections for agents and brokers in 2019. They spoke about the recent push for compliance from state attorneys general and large health insurance carriers. You can listen to this episode of our podcast HIPAA Talk! here or on your mobile device via Apple Podcasts. Or, read the summary below.
National and State Level HIPAA Enforcement
It may seem like federal authorities are not as concerned with regulations and HIPAA enforcement as previous administrations. However, in 2018 we saw a record number of HIPAA enforcement lawsuits, including the largest HIPAA settlement to date with Anthem’s $16 million payout.1 As the number of breaches increase, more state attorneys general are prosecuting those who violate HIPAA law.
Additional state regulations, designed to strengthen the protection of consumer information, are now becoming laws. For example, states like California and New York introduced new requirements for Covered Entities that are more stringent than HIPAA. New York recently implemented a slew of cybersecurity regulations which include requiring the use of multi-factor authentication and strengthening cybersecurity incident notification rules.
These states will continue to pursue HIPAA enforcement while also cracking down on entities that violate their even stricter state regulations. More states will follow by adopting similar laws. We have already seen this trend all over the country.
HIPAA is not going away. In fact, fines and penalties will increase as more breaches occur. It is important to remember that regulatory agency employees will not stop doing their jobs because the executive branch adopts a laissez-faire approach to enforcing government regulations. HIPAA enforcement is a regular aspect of their occupation. Regardless of the federal government’s stance, these bureaucrats are still required to perform their professional duties, which include enforcing the current regulations.
Carriers and HIPAA Enforcement
Sometimes breaches occur because employees expose PHI carelessly. And other times, employees completely disregard privacy regulations, like HIPAA, because they believe these laws are unimportant. Health insurance carriers know this. The carriers have seen the significant fines doled out by OCR and state governments. They do not want to face the financial burden and bad publicity major breaches bring.
So, carriers are pushing agents and brokersto comply with HIPAA law. Carriers with a large national presence, like the Blues and and United, lead the way with this effort, especially following the Anthem breach. They understand that large scale breaches cost more than the payout to HHS; breaches result in the expense of litigation, identity theft protection for individuals, system changes, and potential loss of business.
Though carriers do not have the legal authority to drive HIPAA enforcement, they can threaten to drop agents and brokers who fail to comply. Carriers view compliance as an investment. Adopting policies requiring encrypting data, securing network systems, and taking a comprehensive approach to following HIPAA guidelines benefits all businesses. Many agents and brokers do not realize how much they are risking with non-compliance.
Additionally, carriers know that it is not enough to simply have HIPAA compliant policies in place. Your business must actually follow these procedures. The carriers have announced they will terminate agents’ contracts for those agencies that do not implement HIPAA technical requirements.
HIPAA Enforcement in 2019: Conclusions
Spending money on HIPAA related security measures is what we call a ‘grudge purchase.’ For example, no one feels excited about spending hundreds of dollars on a new mattress. However, after biting the bullet and purchasing the new mattress you realize how poorly you slept before you had it. Many agents and brokers view the process of HIPAA compliance the same way. The initial investment in securing your network and business information can be substantial. However, once the process is implemented, maintaining compliance is a minimal cost and well worth the investment. Not to mention, it is required by law.
In conclusion, we are witnessing more and more parties push for HIPAA enforcement at all levels. State governments and large health insurance carriers understand the value of compliance and are coming after uncooperative entities. Remember, HIPAA compliance is not a choice. Ignoring these rules and regulations is becoming impossible as more parties focus on HIPAA enforcement.