Jeff Drummond blogs:
OCR to Focus Audits on Entities with Long-Standing Patterns of Non-Compliance. According to BNA (subscription required), OCR will look for organizations with long histories of noncompliance, across all areas of the healthcare industry. Entities that can demonstrate efforts to create and nurture a “culture of compliance” will come out of audits looking good. Entities that violate HIPAA in ways that raise a high risk of data breaches (such as with mobile devices) will bear the brunt of OCR’s enforcement activities, which will definitely be stepped up after publication of the Omnibus Rule. And if you don’t have policies and procedures in place, you will pay penalties.
You have been warned.
Good. Now if they’ll just actually enforce and impose penalties so that the word gets out. California has imposed a number of monetary penalties for non-compliance with state laws, and the word got out that not reporting within the 5-day period would cost you. And some of the fines they have imposed were because entities did not have policies in place that would have prevented certain breaches. Although HHS has issued penalties – including to a hospice that had not conducted risk assessment and did not have policies in place – there hasn’t been enough enforcement, in my opinion.