Ready or Not, HIPAA Enforcement is Here

To say HIPAA enforcement is on the rise is an understatement.

In 2016, we saw a substantial increase in HIPAA enforcement resolution agreements and penalties to the tune of $23 million dollars in fines, a 300% increase in total collected fines over the previous annual record in 2014 of $7.4 million.

 

At the start of 2017, with the change in White House administration, many people anticipated that fines and enforcement would continue to increase throughout the year. With the recent appointment of Roger Severino, Director of the Department of Health and Human Services’ Office for Civil Rights, these predictions have come to fruition.

 

2018 was a record year for HIPAA fines, with $28.7 million in HIPAA violations for the year, with the mean penalty being more than $2.5 million.

As far as HIPAA violations are concerned, this makes Severino the agency’s chief enforcer – and he takes his job very seriously. In his own words, Severino stated his mission is to find a “big, juicy, egregious breach case to use as an example from which others can learn.”

HIPAA Penalties on the Rise

As of August 2017, 9 actions have been settled with average settlement amounts consistently higher than those in 2016. As of this writing, the largest fine ever assessed was $5.5 million in 2016. This penalty was issued due to an unencrypted stolen laptop and failure to execute a proper business associate agreement.

So what does this mean for healthcare organizations who handle protected health information (PHI) or Personally Identifiable Information (PII)?

To reduce the risk of potential HIPAA violations, there are several important steps to take.

1) Conduct Regular Security/Vulnerability Assessments

It is absolutely crucial to identify security flaws in your network. The best way to do this is by conducting a vulnerability assessment designed to pinpoint security loopholes lurking in your network.

Just one simple phishing email could unleash ransomware that results in your files being held hostage by cyber criminals. If your files were unencrypted and your organization doesn’t have layered security in place, it’s not only your network at risk – a HIPAA violation could be in your future.

2) Conduct an Introductory HIPPA Security Risk Analysis

In 2017, a consistent theme materialized from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) urging organizations to conduct regular risk analyses that comply with available OCR guidance, including the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

A HIPAA security risk analysis takes a broad look at HIPAA compliancy within your organization. From HIPAA privacy compliance assessments to technical vulnerability assessments, no two organizations are alike. A security risk analysis is a necessary step toward identifying risks and taking steps to move toward HIPAA compliancy.

3) Implement a Risk Management Plan and Risk Management Procedures

In light of risks and vulnerabilities identified during a risk analysis, a risk management plan (RMP) establishes policy for risk analysis and management of electronic protected health information (ePHI). It also helps you identify the vulnerabilities of data flow within your organization so you can close any security gaps as necessary.

There’s no denying HIPAA compliance is a complex topic and achieving HIPAA compliance requires a significant amount of documentation and technical know-how, but you don’t have to navigate the road to HIPAA compliance alone.

4) Report Breaches within 60 Days

In January, the first enforcement action of its kind for lack of timely breach notification took place with a settlement amount of $475,000. If a data breach does occur within your organization, be sure to report it to the OCR, the affected individuals and the media without unreasonable delay and in no case later than 60 calendar days after discovery (media notification is only required if the breach affected 500+ individuals)

Do you have antivirus installed on computers throughout your organization? Can you prove it?  When it comes to HIPAA, it’s one thing to know you have antivirus installed on computers, but another to prove it. HIPAA compliance requires a great deal of paperwork and if you are short on documenting and defining policies and procedures, we can help you understand what you might be missing so gaps may be filled in.

Unsure if You Are HIPAA Compliant?

If you would like to discuss what it would take to set up a vulnerability assessment, security risk analysis, privacy assessment, and / or assistance with meeting the objectives of HIPAA, contact our office by phone at (262) 522-8560, or send us a request online.