Later this year, the Department of Health and Human Services is expected to start auditing up to 150 health providers at random through December 2012 in an effort to find medical entities that fail to comply with HIPAA and HITECH regulations about how personal data must be handled securely.
While the audits don’t represent attacks on the personally identifiable information (PII) the regulations are supposed to protect, they do expose non-compliant providers to the potential for heavy fines and reputation-damaging publicity.
For instance, earlier this year Massachusetts General Hospital paid $1 million to settle a patient-privacy complaint with HHS due an employee leaving patient records in a subway car.
That’s a big switch from the way healthcare privacy regulations have been handled since 2003, says Abner Weintraub, president of HIPAA Group, a compliance consultancy to healthcare organizations. Until this year, HHS had received about 50,000 complaints but levied no fines, preferring to take remedial actions instead, he says.