The Health and Human Services, Office for Civil Rights (OCR) is the governing body that enforces HIPAA and the consequences of HIPAA non-compliance. Periodically, the OCR will send out updates and announcements of recent HIPAA infractions. These announcements typically outline the HIPAA violation, the fine associated, and what corrective action plan is in place to correct the issue. While the situation for each of these violations are quite unfortunate, there is one benefit. The announcements provide real-world examples of organizations that did not take their compliance seriously and as a result, ended up paying exorbitant fines.
It is important to note that one of the purposes of these announcements is to prove that the OCR acts against those who are violating the security and privacy rights of their patients, and to deter organizations from taking HIPAA lightly. To further help, we have outlined the three latest announcements below and highlighted the key take-a-ways from each of the situations and hopefully, we can all avoid making the same mistakes. Let’s dive in and see what we can learn.
#1 Failing to conduct a Security Risk Assessment can result in major fines
Our first case was recently settled on September 25, 2020 but it goes back a few years. On March 17, 2015, Premera Blue Cross (PBC), a large health insurance entity, reported a breach on behalf of its own organization. PBC reported that cyber-attackers gained unauthorized access to their IT systems through a phishing email link that led to a malware installation. This cyber-attack went unnoticed for almost nine months and led to the disclosure of approximately 10.4 million individuals’ protected health information.
PBC was cited as having “systemic non-compliance by failing to conduct a security risk assessment (SRA) and failing to implement risk management across the organization.” Roger Severino, OCR Director had this to say about the case, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.” PBC agreed to pay $6.85 million as form of settlement. They also agreed to a corrective action plan that involves the OCR monitoring their compliance for two years.
Key learnings here are that security risk assessments are required under the HIPAA security rule and failure to conduct one annually not only endangers the security of the organization over time, but is also a finable offense.
Be sure to:
- Conduct an annual security risk analysis
#2 Security incident procedures and access controls are a MUST
This case from September 2020 is similar to the case above. CHSPSC is a business associate that provides IT and health information management to hospitals and physician clinics. An investigation by the OCR found systemic non-compliance going back for a long time. They failed to perform a security risk assessment and to implement security incident procedures and access controls. As a result, they settled to pay $2.3 million. They also agreed to implement a corrective action plan that includes being monitored by the OCR for two years.
Key learnings from this case are that failure to implement security incident procedures and access controls for device management are finable offenses. A security risk assessment addresses these and all other Security requirements for HIPAA.
Be sure to:
- Implement security incident procedures
- Implement access controls and device management
#3 Failure to maintain policies and procedures can leave your organization exposed.
On September 21, 2020, after a long audit process following a database breach affecting 208,557 individuals’ information, Athens Orthopedic Clinic paid $1.5 million to settle systemic non-compliance with HIPAA rules. Here again we witness the trend of failing to perform a risk assessment, coupled with failure to maintain proper policies and procedures surrounding HIPAA compliance and failure to have business associate agreements in place for vendors. "Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers," said OCR Director Roger Severino.
Key learnings from this case are that policies and procedures are one of the first things the OCR looks for during an audit as a “paper trail” for HIPAA compliance. Additionally, implementing business associate agreements with proof of compliance with each vendor is critical to avoiding fines and penalties.
Be sure to:
- Review and update policies and procedures
- Implement and sign a business associate agreement and require proof of compliance for ALL vendors
The key thread through each of the three situations was the failure to perform a security risk assessment. A fundamental component of HIPAA compliance, the risk assessment, will help identify gaps in the security of information systems containing PHI. By identifying gaps, you will know what risks and vulnerabilities your organization has and begin to implement a plan to mitigate those risks. By reviewing and completing a Security Risk Assessment each year, you are constantly evaluating where weaknesses are and how to address them before a breach happens.
In addition to completing a Security Risk Analysis, it is important for organizations to maintain proper training and implement and update policies and procedures. A comprehensive HIPAA compliance program should help you address each of the key learnings above. At HIPAA One, we provide solutions that automate 82% of the necessary compliance process. Our Security Risk Analysis also includes policy and procedure templates that you can customize and edit to your liking.
For more information about HIPAA Compliance and risk assessments, schedule a quick call with our team.