Employers who ignore or are only partially compliant with healthcare privacy issues could face greater government scrutiny and fines, says Philadelphia attorney Christopher Ezold.

This new focus on compliance applies to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA requires that a “covered entity” maintain the privacy of personal health information (PHI). Covered entities can include healthcare providers, health plans and health clearing houses and their business associates.

[See also; Q&A: OCR Director Leon Rodriguez talks audits and enforcements.]

HIPAA does not apply to all employer-provided health insurance, but it does apply to employer-sponsored health plans and, therefore, to employers who sponsor those types of plans.

A partner at Philadelphia-based The Ezold Law Firm, P.C., which focuses on business, employment and healthcare law, Ezold warns that while enforcement of PHI rules have been lax in the past, the Department of Health and Human Services (HHS) has recently imposed penalties of more than $1 million against companies found in violation of HIPAA.

For example, on June 26, 2012, HHS announced that the Alaska Department of Health and Social Services agreed to pay a $1.7 million fine to settle possible violations.

On March 13, 2012, HHS announced Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million to settle potential HIPAA violations.

[See also: Tennessee Blues to pay $1.5M as result of data breach.]

Smaller employers have also found themselves on the receiving end of a HIPAA audit. This is a strong reminder for businesses to revisit their compliance programs, Ezold said.

The HHS’s Federal Office for Civil Rights (OCR) has stepped up HIPAA audits of “covered entities” that are subject to HIPAA. OCR has now begun levying significant monetary penalties for violations of HIPAA’s privacy rule. In practice, OCR is not interested in small fines; it has levied penalties in the hundreds of thousands and even millions of dollars for what appeared at first glance to be small issues, according to Ezold.

“If OCR comes knocking, you may be able to avoid significant liability by showing that you have engaged in a good faith attempt to meet your obligations,” says Ezold.

He suggests holding an annual internal review to ensure that the privacy requirements are being met. OCR will not consider a once-and-done review to be sufficient; annual reviews provide better protection than merely doing an initial assessment.

[See also: As OCR promises more fines, two CIOs offer tips on risk assessments.]

Ezold also recommends:

• Designate a HIPAA compliance officer.
• Create privacy and security policies that comply with HIPAA and HITECH.
• Determine which employees have access to PHI.
• Limit access to PHI both operationally and in policy to those employees who “need to know.”
• Review physical and encryption security for PHI.
• Schedule annual reviews of policies, operations and regulations.
• Create annual risk analyses and security plans.
• Have policies in place regarding breaches of PHI security.
• Schedule annual computer network security reviews.
• Safeguard all physical/documentary PHI in a locked location.
• Create policies for reviewing and shredding old documents.
• Ensure that no one keeps PHI on any mobile digital device.

“Given that most businesses review their policies at the end of the year, this is an ideal time to have your counsel or compliance officer examine your own policies to ensure that you would not become an unfortunate victim of an OCR audit,” Ezold says. “A small investment in time now could prevent extremely painful repercussions down the road if you are not in compliance.”