The Department of Health and Human Services' Office for Civil Rights generally takes two to three years to settle cases, and business associates first became directly liable for HIPAA compliance in September 2013. Therefore Greene said "I wouldn't be surprised that within the next year we see our first business associate [enforcement] action from something that happened in 2013 or 2014." He advises BAs to pay attention to the issues involving OCR settlements with covered entities.
"OCR is really looking at all the places you have PHI, all the threats to that, all the vulnerabilities and all the corresponding risks, which is very different from a gap assessment."According to Greene, "the risk assessment continues to be the biggest challenge, and a lot of it is not having a risk assessment that aligns with OCR guidance." Organizations conducting risk assessments and seeking to proactively detect data privacy breaches can utilize SaaS analytics services.
- Adam Greene, partner Davis Wright Tremaine LLP
Learn how to proactively detect identity theft and unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) Expect HIPAA noncompliance fines for BAs soon, attorney says - www.FierceHealthIT.com, 09/17/2015