The HITECH Act, which brings us the meaningful use reimbursement program, also has a less well-known purpose: to amend HIPAA law. Experts feared a rapid increase in security breaches as more medical providers switch to electronic health records (EHR). Congress wanted to head off this problem by amending HIPAA law to give it more teeth. Previously, HIPAA has not been well enforced.

Times have changed, and practices should be aware of three main changes to HIPAA enforcement. First, fines have increased from $25,000 to a maximum of $1.5 million for “willful neglect.” Per-incident fines, which were previously $100 are now $50,000 minimum per incident. In addition, HIPAA now requires public confession of data breaches to local media and the CMS website. Finally, HIPAA now authorizes random compliance audits, much like CMS conducts for Medicare and Medicaid payments.

The Office of Civil Rights (OCR), which is charged with enforcing HIPAA, has begun the first round of compliance audits, according to Howard Anderson at Round one will focus on 20 organizations, with an additional 120 receiving audits later in 2012. The focus of round one is covered entities themselves, not their business associates. Contrary to popular belief, OCR is not only interested in large groups. Small practices and community pharmacies earning less than $50 million make up 30% of the initial audit group.

Leon Rodriguez, head of the Office of Civil Rights, states “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve…” However, that does not mean practices should approach an audit with a cavalier attitude. Rodriguez continues, “I know there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action…” including “civil monetary penalties.”

What does this mean for the average small practice? First and foremost, it’s time to pay attention to security. With a potential $1.5 million fine and public notification of breaches at stake, the small practice can no longer afford to ignore the HIPAA security rule. HIPAA compliance is a complex subject, and busy practice managers may not be sure where to start.

The best way to protect your practice is to start with a NIST 800-30 compliant risk assessment. A risk assessment is the first step required by the HIPAA security rule, and not co-incidentally, it is also required for meaningful use. A NIST 800-30 risk assessment will give you a comprehensive, clear picture of your practice and help you move forward with remediation. Please feel free to contact us at or through our website at if you would like more information on risk assessments or HIPAA audits.

Ryan Ricks
Security Officer