Here is something that HIPAA industry experts rarely say:
"Your clients aren't worried about HIPAA"
Wait, what? You might be saying to yourself:
"Art, your company sells HIPAA security services how can you say that?"
Let me explain myself a little more. It is easy for industry experts to start talking about the soon to be enforced HIPAA audits and it is easy to talk about the fines that organizations will have to pay if they are audited and found to be in noncompliance. From an outsiders view it is easy to bang the compliance drum and try to get the message to organizations that need to comply with HIPAA regulations.
The hard reality is that a lot of organizations including HIPAA Covered Entities (physicians, dentists, chiropractors) and their Business Associates (IT, medical billing, transcriptionists, and lawyers) aren't overly worried about complying with HIPAA. That is not to say these organizations are not aware or don't care about HIPAA regulations. The truth is a lot of these organizations are relatively small compared to large healthcare organizations, large hospital systems and enterprise organizations. Running a smaller organization means that there are many other things to worry about along with HIPAA. Daily business challenges including increased competition and expenses, decreasing revenue, government regulation, in addition to the most important job of providing quality patient care can easily take precedence over HIPAA compliance.
One of the other major issues that contributes to organizational apathy regarding HIPAA is the lack of enforcement. HIPAA regulations have been around for years and the truth is that they have not been widely enforced. Yes we all have read about large fines that a few organizations have received but these are statistically rare. Of over 1,000,000 Covered Entities only a few have received large HIPAA related fines and penalties. Of the even larger amount of Business Associates, incidences of fines and penalties are even less.
So fast forward to 2012 and take a look at the 115 organizations that went through the HHS Office of Civil Rights (OCR) random HIPAA audits. That is about .0115% of all the HIPAA Covered Entities. If I was in Vegas I would bet against those odds every time.
We know HIPAA enforcement is coming but a lot of Covered Entities have been lulled into believing that HIPAA is not enforced and because of the lack of enforcement, they don't have to worry about it. Think of it this way – I’ll bet there is a road in your town where the speed limit is 35 miles an hour, but everyone routinely travels much faster than that, because it’s a nice straight road and no one ever sees any police around. Then one day, the speed trap is setup……
When we talk to our clients about HIPAA we are consistently shocked that there is a general misunderstanding about the HIPAA regulations. I can't tell you how many organizations aren't even aware that there is a HIPAA Privacy and a HIPAA Security Rule. A lot of these organizations have taken steps to protect patient privacy and comply with the HIPAA Privacy Rule but there is an overwhelming lack of compliance with the HIPAA Security Rule. It is hard to comply with something you weren't even aware of!
We have been performing hundreds of Risk Assessments over the past 5 years. We are very aware of the requirement to perform a HIPAA Risk Assessment, what the process is and why organizations need to perform a Risk Assessment. But when we talk to our clients about a Risk Assessment it is like talking in a foreign language to some of them. They have no idea what a Risk Assessment is and are very surprised to learn that they are required to perform one.
Since the HIPAA Omnibus Rule was released in 2013 there has been a significant increase in HIPAA awareness. We have seen a huge increase in our website hits, a large influx of new clients, and we have partnered with a lot of organizations that are interested in selling HIPAA security services. HHS OCR has made it clear that a permanent HIPAA audit program will be implemented in 2014 and the message seems to be making its way to Covered Entities and Business Associates.
HIPAA is getting more and more press these days. The amount of HIPAA related articles, whitepapers and webinars are appearing at an almost feverish pace. Covered Entities are hearing about HIPAA requirements from their lawyers, malpractice carriers, professional associations, and IT/EMR vendors as well as in articles published in magazines and journals. As I said, a lot of people are banging the HIPAA drum and the message is starting to be heard.
Here is the one thing that seems to be resonating with Covered Entities; the Meaningful Use (MU) audits that are occurring and the risk to EHR incentive payments. Meaningful Use audits are estimated to be as high as 20% (1 in 5) of eligible providers that have received Meaningful Use incentive payments. If an organization is audited and they have failed to perform a Meaningful Use / HIPAA Risk Assessment they may have to return a full year of MU incentive payments. At an average of $10,000 per provider, having to write a check back to the government for $10,000, $20,000, $30,000 or more is a real risk.
It does make sense that organizations are more concerned with having a 20% chance at having to return real money that was provided to them as part of the Meaningful Use program. Compare this to the relative lack of concern about of HIPAA regulations and a permanent audit program that has not even been implemented yet.
A strategy that has been successful for us is to turn the conversation away from HIPAA security compliance and focus on Meaningful Use Risk Assessments. In the end you are talking about the same thing but the fear of Meaningful Use audits resonates a lot more!
So I started by saying; your clients aren't worried about HIPAA. While that may have been true in the past, I believe that will change this year and in future years. More and more people will be banging the HIPAA drum and getting the message out to Covered Entities and Business Associates. The permanent HIPAA audit program will be put in place this year – Congress has taken HHS OCR to task for the delay. With the audit program in place, stories of Covered Entities and Business Associates being audited and fined will get the attention of a lot of organizations.
HIPAA awareness and organizational concerns for complying with the regulations will increase dramatically in 2014 and beyond. And once these organizations are concerned about HIPAA regulations, they will realize that it is cheaper to comply and protect patient information than it is to receive HIPAA related fines and suffer the consequences of HIPAA related data breaches. And I’ll no longer be saying that your clients aren't worried about HIPAA.