Based on the frequency and amount of HIPAA fines in 2016, one thing is clear, very clear: the lack of a credible HIPAA compliance program for an organization today, will lead to an increase in business risk.
Multiple alleged HIPAA violations resulted in a $2.75 million settlement with the University of Mississippi Medical Center (UMMC). HIPAA fines typically are in the seven figures. In addition, it always includes a corrective action map (CAP), which requires a comprehensive HIPAA compliance program, mandated with attestation from an organization’s officer over the duration of the CAP period. The duration of the CAP period is typically a minimum of two years, more likely, three years.
The recommendation to senior leadership: select a security framework and establish HIPAA compliance within the context of that framework. There are essentially three options for security frameworks: HITRUST, ISO 27001 and NIST. I would recommend HITRUST. Be deliberate, disciplined, and steady to get HITRUST certified.
Senior executives must treat HIPAA compliance as a life-cycle, as a process. It will lower business risk!
Let’s examine the settlement related to UMMC to better understand how this impacts where you need to set the bar for HIPAA compliance based on Office for Civil Rights (OCR) enforcement of the regulation.
The HIPAA Compliance Program Failures
The core HIPAA Compliance Program failures at the University of Mississippi Medical Center:
On July 25, 2016, the university medical center agreed to settle multiple alleged HIPAA violations with OCR. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.
Your HIPAA Bar:
Has your organization established a credible HIPAA compliance risk management program?
UMMC will pay a penalty of $2,750,000 and adopt a CAP to ensure continual compliance with:
Your HIPAA Bar:
Does your organization’s HIPAA compliance program continually address the requirements of the three pillars of HIPAA regulations (privacy, security, breach)?
Here is what led to the UMMC breach. On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from the center’s Intensive Care Unit. The center’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.
OCR’s investigation revealed that EPHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network, because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the EPHI of an estimated 10,000 patients dating back to 2008.
Your HIPAA Bar:
Does your organization regularly, on a disciplined schedule, conduct vulnerability assessments across your external, internal and wireless infrastructure to identify security gaps that can compromise EPHI?
Has your organization conducted a comprehensive and thorough risk analysis exercise to identify compliance gaps such as use of generic credentials that can access EPHI?
Your Steps for Safeguarding Information (Required!)Formally document and appoint a HIPAA compliance officer with responsibility, budget and authority to manage an enterprise program