In 2016, the Office of Civil Rights (OCR) collected a record $23.5+ million dollars in HIPAA violation settlements. As of late May 2017, the OCR has already amassed close to $15 million dollars in HIPAA violation settlements. With HIPAA enforcements and HIPAA audits not slowing down anytime soon, covered entities and business associates can learn key lessons from past settlements.
Healthcare organizations, for a myriad of reasons, have had a tough time with data breaches and the resulting consequences. But there are some critical lessons we can learn from HIPAA penalties based upon reviewing the last two years of OCR HIPAA settlements.
1. Business Associate Agreements are essential
The Department of Health and Human Services (HHS) defines a “ business associate” as a person or entity that performs certain functions or activities. These functions or activities typically involve the use or disclosure of protected health information on behalf of, or in service to, a covered entity. Business associates are held liable to similar repercussions as covered entities under HIPAA rules. This includes if PHI is compromised in a healthcare data breach. RELATED: Anthem Breached Again! 18,500 Members Information Compromised With this in mind, healthcare organizations must have a well defined BAA that must be signed prior to handing over PHI. Past HIPAA violations involving organizations that did not have a BAA in place include Illinois-based Center for Children's Digestive Health (CCDH) and Care New England Health System (CNE). Both of these organizations lacked a BAA in place and were fined $31,000 and $400,000 respectively.
2. Risk Management
Implementing a well organized and documented risk management plan is essential to data privacy and security. This was highlighted by Children's Medical Center of Dallas earlier this year. After an un-encrypted and non-password protected Blackberry device was lost, the investigation revealed that the center failed to implement a plan to encrypt and protect patient information and medical records on mobile devices. As a result, they were fined $3.2 million dollars.
3. Audit Control
Audit control is an element of the technical safeguards within the HIPAA security rule. READ MORE: The Complete Guide to HIPAA Compliance for Busy Professionals It asks that healthcare organizations implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Failure to do this only helps hackers and insiders with malicious intents cover their tracks. A recent and every expensive example of this failure comes from Memorial Healthcare System. Earlier this year, Memorial Healthcare System settled with OCR for $5.5 million dollars. The settlement stems from two incidents, one involving 80,000 individuals’ PHI being disclosed when MHS gave a former employee of an affiliated physician practice access to the data.
4. Breach Notifications
When a HIPAA breach happens, the organization must notify affected individuals and enforcement agencies in a timely manner in accordance with HIPAA privacy. Not abiding by this can have huge financial implications and waste precious time to mitigate the breach. Presence Health earlier this year settled with the OCR for $475,000 for failing to notify without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach. The breach was caused from missing paper based on operating room schedules.
5. Basic HIPAA Safeguards
The basic safeguards of the HIPAA security rule includes technical, physical, and administrative safeguards. As healthcare continues to move towards the digital age, it becomes more vital for organizations to continually update these safeguards and train their staff on it. In August of 2016, Advocate Healthcare settled with the OCR for $5.5 million dollars for multiple HIPAA violations and noncompliance issues. The investigation revealed that Advocate Healthcare did not do a thorough risk analysis of its ePHI and did not have sufficient safeguards for all the physical locations of its ePHI. Corrective actions and a corrective action plan could have prevented this. In summary, these five lessons show that all healthcare providers have room to improve when it comes to HIPAA compliance. The mistakes that were highlighted are all addressable. To avoid paying massive fines, healthcare organizations must take a proactive and detailed approach to achieving HIPAA compliance. In another Paubox post, we wrote a short article detailing how to stay HIPAA compliant. These tips should help those looking to be proactive about protecting their organization from HIPAA fines and cybercriminals.