What to do after you violate HIPAA
by Kapua Iao
A disaster happened: your healthcare organization suffered a data breach and possible HIPAA violation.
HIPAA, or the U.S. Health Insurance Portability and Accountability Act of 1996, sets out the rules and regulations that protect the rights and privacy of patients.
What is HIPAA and why is it important?
The U.S. Department of Health and Human Services’ (HHS) HIPAA consists of five sections (or titles) that standardize patient protections. The HHS Office for Civil Rights (OCR) regulates and enforces the Act.
RELATED: What is HIPAA? Or is it HIPPA?
Title II is key to our discussion as it sets the policies and procedures for safeguarding protected health information (PHI).
Important sections include:
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect electronic PHI (ePHI)
- Enforcement Rule (2006): sets the standards for enforcing HIPAA and penalizing uncompliant CEs
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): requires CEs to report breaches to OCR and affected individuals
- Final Omnibus Rule (2013): incorporates HITECH further by improving privacy protections.
Understanding and implementing HIPAA rules is fundamental to patient care and avoiding potential HIPAA violations.
What is a HIPAA violation?
A HIPAA violation occurs when a CE does not properly safeguard patients’ PHI and suffers a data breach.
Breaches can occur in a variety of ways, whether intentional or unintentional, due to negligence or an accident. It doesn’t matter whether or not a hacker demands a ransom or does anything with the stolen PHI.
RELATED: To Pay or to Not Pay for Stolen Data
Moreover, our most recent monthly HIPPA Breach Report demonstrates that over 4 million patients were affected by breaches in December 2020.
A HIPAA compliant CE fulfills HIPAA’s requirements and reduces the risk of a breach to an appropriate and acceptable level. While breaches happen easily nowadays, it is important to understand that a breach does not automatically mean a HIPAA violation.
What happens after a data breach?
Once discovered, how the CE reacts and the steps taken will help OCR decide if a HIPAA violation occurred.
First, it is necessary to take immediate action, even if a CE only suspects a breach.
Moreover, the CE must contain the breach. This might mean cutting access to a system/network or suspending an affected employee’s account. This is why it is necessary to have contingency plans ready at any given moment.
Depending on the results of the assessment, a CE may need to notify HHS, proper authorities, and any affected patients and include:
- A description of the breach and when it occurred
- The PHI involved
- The steps the CE has taken to mitigate the breach
- How patients can protect themselves
- Contact information
How you tell HHS also hinges on the extent of the breach. A breach that affects fewer than 500 patients means logging the incident with HHS within 60 days of the year’s end. A breach affecting greater than 500 patients means that HHS must be notified immediately.
It should also be noted that breaches affecting over 500 individuals end up on what is known as OCR’s Wall of Shame.
At this point, OCR will more than likely perform a compliance review, resolving the case only if the CE demonstrates voluntary compliance, corrective action, and/or a resolution agreementhttps://www.paubox.com/blog/what-is-hipaa-resolution-agreement/.
Depending on the investigation, fines run from $100 to $1.5 million per violation along with potential jail time. The more neglect was a factor in the data breach, the larger the fine will be.
And unfortunately, these fines are not the only costs due to a HIPAA violation. Costs associated with the mandatory corrective action plan (CAP) will more than likely be excessive. A CAP’s purpose is to find the underlying security issues within your organization and make you correct them.
The timeline for a CAP can potentially last for several years. You will regularly report to the OCR on your progress and submit your organization to audits during this time.
Use strong cybersecurity to avoid a HIPAA violation
Ideally, maintaining HIPAA compliance keeps CEs from dealing with a breach, HIPAA violation, and/or OCR fine and CAP. In fact, everything within a CAP should already be applied under HIPAA.
To avoid a HIPAA violation, it is fundamental to use a strong cybersecurity program that a CE continuously tests and updates. Such safeguards should include:
- Continuous audits and risk assessments
- Employee awareness training
- Access controls (i.e. privileged access management)
- Policies/procedures on work/personal device use (i.e. bring your own device policy)
- Offline data backup
- Policies/procedures for data disposal
- Inbound/outbound email security (i.e., HIPAA compliant email)
Paubox Email Suite Plus provides the necessary email security you as a CE need to protect patients’ electronic PHI (ePHI) transmitted via email. All messages are sent and received with NSA-recommended TLS email encryption 1.2 or 1.3, and our inbound security solutions stop harmful emails from even reaching an inbox.
Avoid future problems by actively creating a cybersecurity program that works for you, starting with strong email security. Proactive HIPAA compliance is less expensive and less time consuming than dealing with a HIPAA violation.