5 lessons learned from 2016-2017 OCR HIPAA settlements

Featured image

Share this article

5 lessons learned from 2016-2017 OCR HIPAA settlementsIn 2016, the Office of Civil Rights (OCR) collected a record $23.5+ million dollars in HIPAA violation settlements.

As of late May 2017, the OCR has already amassed close to $15 million dollars in HIPAA violation settlements.

With HIPAA enforcements and HIPAA audits not slowing down anytime soon, covered entities and business associates can learn key lessons from past settlements.

Healthcare organizations, for a myriad of reasons, have had a tough time with data breaches and the resulting consequences.

But there are some critical lessons we can learn from HIPAA penalties based upon reviewing the last two years of OCR HIPAA settlements.

1. Business Associate Agreements are essential

The Department of Health and Human Services (HHS) defines a “business associate” as a person or entity that performs certain functions or activities. These functions or activities typically involve the use or disclosure of protected health information on behalf of, or in service to, a covered entity.

Business associates are held liable to similar repercussions as covered entities under HIPAA rules. This includes if PHI is compromised in a healthcare data breach.

RELATED: Anthem Breached Again! 18,500 Members Information Compromised

With this in mind, healthcare organizations must have a well defined BAA that must be signed prior to handing over PHI.

Past HIPAA violations involving organizations that did not have a BAA in place include Illinois-based Center for Children’s Digestive Health (CCDH) and Care New England Health System (CNE).

Both of these organizations lacked a BAA in place and were fined $31,000 and $400,000 respectively.

2. Risk Management

Implementing a well organized and documented risk management plan is essential to data privacy and security. This was highlighted by Children’s Medical Center of Dallas earlier this year.

After an un-encrypted and non-password protected Blackberry device was lost, the investigation revealed that the center failed to implement a plan to encrypt and protect patient information and medical records on mobile devices.

As a result, they were fined $3.2 million dollars.

3. Audit Control

Audit control is an element of the technical safeguards within the HIPAA security rule.

READ MORE: The Complete Guide to HIPAA Compliance for Busy Professionals

It asks that healthcare organizations implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Failure to do this only helps hackers and insiders with malicious intents cover their tracks.

A recent and every expensive example of this failure comes from Memorial Healthcare System.

Earlier this year, Memorial Healthcare System settled with OCR for $5.5 million dollars. The settlement stems from two incidents, one involving 80,000 individuals’ PHI being disclosed when MHS gave a former employee of an affiliated physician practice access to the data.

4. Breach Notifications

When a HIPAA breach happens, the organization must notify affected individuals and enforcement agencies in a timely manner in accordance with HIPAA privacy. Not abiding by this can have huge financial implications and waste precious time to mitigate the breach.

Presence Health earlier this year settled with the OCR for $475,000 for failing to notify without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach.

The breach was caused from missing paper based on operating room schedules.

5. Basic HIPAA Safeguards

The basic safeguards of the HIPAA security rule includes technical, physical, and administrative safeguards. As healthcare continues to move towards the digital age, it becomes more vital for organizations to continually update these safeguards and train their staff on it.

In August of 2016, Advocate Healthcare settled with the OCR for $5.5 million dollars for multiple HIPAA violations and noncompliance issues.

The investigation revealed that Advocate Healthcare did not do a thorough risk analysis of its ePHI and did not have sufficient safeguards for all the physical locations of its ePHI. Corrective actions and a corrective action plan could have prevented this.

In summary, these five lessons show that all healthcare providers have room to improve when it comes to HIPAA compliance. The mistakes that were highlighted are all addressable.

To avoid paying massive fines, healthcare organizations must take a proactive and detailed approach to achieving HIPAA compliance.

In another Paubox post, we wrote a short article detailing how to stay HIPAA compliant. These tips should help those looking to be proactive about protecting their organization from HIPAA fines and cybercriminals.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Phuong Tran

Phuong Tran is a Carnegie Mellon University-Heinz College graduate with a degree in healthcare policy and management. In his spare time he enjoys discovering new restaurants and playing basketball.

Read more by Phuong Tran

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022