What is a HIPAA resolution agreement?
by Emma Contreras
If your organization has found itself in the unfortunate position of committing a Health Insurance Portability and Accountability Act (HIPAA) violation, then you are likely familiar with HIPAA resolution agreements.
RELATED: What is HIPAA? Or is it HIPPA?
A HIPAA resolution agreement is a settlement that aims to resolve complaints by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) against a business associate or covered entity (CE). CEs include healthcare organizations, health insurance companies, or private practices.
In the resolution agreement, the CE agrees to perform certain obligations under a corrective action plan and submit regular reports to HHS for a specified period of time, generally for three years. Some HIPAA resolution agreements include a resolution payment.
During the time period specified in the resolution agreement, HHS actively monitors the CE’s compliance with the agreed-upon commitments.
If the CE fails to demonstrate necessary compliance or take corrective action, they may have to pay civil money penalties (CMPs) to HHS.
Common HIPAA violations
Given the potential severity of a HIPAA CMP and the risk a violation presents to protected health information (PHI), it’s important that organizations demonstrate constant vigilance to protect themselves against potential HIPAA violations.
Common HIPAA violations include:
Maintaining unsecured records
Organizations must extensively train all of their employees in how to properly safeguard documents that contain PHI. Whether it’s securing physical documents with sensitive data or ensuring digital files are encrypted, all employees should be aware of and follow the necessary precautions.
Encrypting data is not necessarily a strict HIPAA requirement; however, data encryption is a common tool healthcare organizations use to protect PHI in case a device is lost, stolen, or hacked.
Email and network server breaches are among the most common cyberattacks, followed by paper and film breaches.
There are many ways an organization could violate HIPAA; all too often, data breaches reveal the gaps in the organization’s defenses and lead to exposure of PHI, an OCR investigation, and potentially costly fees and penalties.
What happens to CEs that violate HIPAA?
If OCR finds evidence of noncompliance and a violation of HIPAA’s Privacy and Security Rules, it may take the following steps to resolve the case:
- Voluntary compliance: By the time OCR has contacted the CE, it’s not uncommon for the organization to be aware of the violation and to have already implemented a plan to fix the problem before or during the investigation.
- Corrective action: More complex HIPAA violation cases may require a more in-depth investigation. The CE will have to implement corrections to its HIPAA Privacy and Security Policies, processes, safeguards, and training.
- Resolution agreement: Resolution agreements often come with corrective action and typically include active monitoring and reporting to HHS.
OCR may implement a combination of the above steps to reach a case resolution.
RELATED: What to Do After You Violate HIPAA
What a HIPAA resolution agreement could cost your organization
It is essential that healthcare organizations understand the extensive ramifications of a HIPAA violation and subsequent resolution agreement.
HIPAA violations not only present a great risk to an organization’s patients but can also be extraordinarily expensive when it comes to fines.
Every year, OCR reviews thousands of HIPAA cases. In 2018 alone, HIPAA violations cost companies a collective $28.7 million in fines.
HIPAA civil money penalties range depending on the severity of the organization’s HIPAA violation:
Level 1: CE was unaware of the HIPAA violation: $100-$50k per violation
Level 2: OCR has reasonable cause to believe the CE was aware that they violated HIPAA: $1k – $50k per violation
Level 3: CE demonstrated willful neglect of HIPAA but corrected the violation within 30 days: $10k – $50k per violation
Level 4: CE demonstrated willful neglect of HIPAA and failed to correct the violation within 30 days: $50k per violation
Level 3 and 4 violations could result in criminal charges depending on the severity of the willful neglect.
An organization’s best chance of avoiding costly HIPAA fines is to implement the best possible cybersecurity.
Prevent HIPAA violations with Paubox Email Suite Plus
Utilizing a high-quality cybersecurity program such as Paubox Email Suite Plus can safeguard organizations against potential violations and expensive HIPAA resolution agreements.
With our patented email encryption technology, Paubox Email Suite Plus protects your patients’ data and allows you to send and receive HIPAA compliant email with ease.
With extensive phishing, ransomware, and spam protection, Paubox Email Suite Plus removes the burden from staff to encrypt their email and eliminates the risk of human error accidentally exposing PHI to a data breach.
Protect your organization’s patients from data breaches and avoid costly CMPs by strengthening your email program security.