Beyond the OCR, New HIPAA Enforcers Are Now Active
Most developers know by now that the Office for Civil Rights (the OCR) is the official HIPAA enforcement agency. Most “HIPAA 101” courses teach that this agency, a section of the U.S. Dept. of Health and Human Services (HHS), is officially tasked with enforcement of the HIPAA Regulations. The OCR is also the “interpreter” charged with explaining and clarifying the Regulations for the healthcare community and all others who deal with, or who are affected by HIPAA. But the HIPAA enforcement landscape is changing, and developers need to understand how.
HIPAA Enforcement — Once Upon a Time
Once upon a time, HIPAA enforcement was a gentle giant. Enforcement authorities took an “education and outreach” approach to violations of the HIPAA Rules. In earlier days, even when patient data had actually been compromised, offenders paid no penalties and signed an agreement, called a “Corrective Action Plan” or CAP, promising to fix the problems that led to the violation.
For years, and in spite of tens of thousands of submitted reports of violations, the OCR didn’t hand out a single monetary penalty until 2011. Today, HIPAA enforcement is dramatically different.
According to experts at the Institute for Critical Infrastructure Technology (also this), the rise in successful hacks has pushed the price of stolen data down recently. But stolen data is still a goldmine. Complete identity-theft kits with comprehensive health insurance credentials can be worth hundreds of dollars, up to $500 each, on the black market, and health insurance credentials alone can fetch $20–50 each. In comparison, stolen consumer payment cards typically are sold for $1 to $2 each.