HIPAA Enforcement is Back

In late March, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) reported four new HIPAA enforcement actions after a months-long hiatus. It is a heads up that the leniency offered by OCR regarding HIPAA penalty enforcement during the COVID-19 pandemic is ending. 

OCR Director Lisa J. Pino has announced the enforcement actions and offered a warning to covered entities: the OCR is committed to protect individuals’ health information privacy and security through enforcement, and OCR will pursue civil money penalties for violations that remain unaddressed. 

And while you may meet the minimum standards for compliance with HIPAA, will that be enough to keep you from violations? HIPAA is notorious for describing how organizations need to comply with its regulations, but it does not offer much guidance in terms of what technologies will help you maintain compliance. 

For example, one HIPAA regulation that your organization can better enforce through data governance technology is the Minimum Necessary Standard. The HIPAA minimum necessary standard applies to uses and disclosures of Protected Health Information (PHI) that is permitted under the HIPAA Privacy Rule, including the accessing of ePHI by healthcare professionals and disclosures to business associates and other covered entities. In other words, the No data request should include data beyond what is necessary, and no data response should go beyond what is necessary. 

Is your organization in compliance with HIPAA? If not, the grace period for noncompliance appears to be over. It is time to review your cybersecurity stance and test your penetration perimeter. Let 2W Tech help. We have a robust Cybersecurity Compliance Program that can identify any gaps in your regulatory requirements. Contact us today to learn more.