In 2013, a covered entity reported to the U.S. Department of Health and Human Services Office for Civil Rights that one of its workstations was infected with a malware program. This resulted in the impermissible disclosure of 1,670 individuals’ electronic protected health information. The ePHI included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
The covered entity, a hospital in the Northeast, determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because the organization did not have a firewall in place.
This is a common, basic lapse in compliance of covered entities. So, let’s examine the HIPAA settlement related to this organization. to better understand how you can improve your HIPAA compliance program.
HIPAA fines always include a corrective action map , which requires a comprehensive HIPAA compliance program, mandated with attestation from an organization’s officer, over the duration of the CAP period. The duration of the CAP period is typically two to three years.
In the case of this hospital, the financial settlement was $650,000, the CAP was two years and attestation was required during that period by a hospital officer.
Entities have faced HIPAA fines totaling more than $50 million since 2008. So far in 2016, we have witnessed 13 HIPAA fines totaling more than $20 million with an average fine of more than $1.8 million. Based on the frequency and amount of these fines this year, one thing is clear, very clear: lack of a credible HIPAA compliance program for an organization will lead to an increase in business risk. The $650,000 financial settlement imposed on that Northeast hospital is based on a relatively small breach of 1,670 records.
The recommendation to senior leadership: select a security framework and establish HIPAA compliance within the context of the framework. There are essentially three options for security frameworks: HITRUST, ISO 27001 and NIST.
Be deliberate, disciplined and steady to address HIPAA compliance in the context of a credible security framework. Senior executives must treat HIPAA compliance as a life-cycle, as a process. It will lower business risk!
The core HIPAA violations at this highlighted organization included:
Has your organization established a credible HIPAA compliance risk assessment and risk management program? You must continually address:
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats, such as malware,” OCR director Jocelyn Samuels said in a statement. “Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”