How to avoid HIPAA penalties
Reviewing some of the largest HIPAA penalties and fines can help healthcare organizations learn how to avoid them should an incident occur. Many experts say that it isn’t IF an incident will occur, it’s WHEN. Here is a sample list of how to be ready for an OCR audit due to either an incident or routine phase two audit protocols:
- Be a functional organization by properly funding your information security program
- Empower your Chief Information Security Officer (CISO)
- Conduct periodic risk assessments (HIPAA rules, OCR Phase 2 protocols, NIST (including Cybersecurity framework), PCI, Intrusion vulnerability scanning, external penetration testing, phishing exercises, etc)
- Implement and maintain operational policies, procedures and plans (e.g facility security plans, etc)
- Educate the workforce on a periodic general basis and focused as needed
- Implement a process to assess third party business associates for information security risk and contracts
- Mitigate known risk in the order of highest to lowest
- Protect vulnerable PHI in transit and at rest
- Be prepared for an OCR audit, now based on phase 2 protocols
- Be prepared to respond to an incident
Sample of largest HIPAA penalties
Advocate Health Care – $5.55 million – The office of Civil Rights (OCR) found substantial deficiencies in how Advocate conducted risk assessments of electronic protected health information; how it implemented policies, procedures and facility access controls to limit access to electronic health records; how it oversaw the safeguarding of ePHI by business associates; and how it safeguarded an unencrypted laptop left in an unlocked vehicle overnight.
University of Mississippi Medical Center – $2.75 million – was due to a breach of unsecured electronic protected health information affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach.
Oregon Health & Science University – $2.7 million following two breaches in 2013. The incidents involved a stolen laptop and use of cloud storage services without having a business associate agreement in place.
Wellpoint – $1.7 million The OCR’s investigation indicated that WellPoint did not: adequately implement policies and procedures for authorizing access to the on-line application database; perform an appropriate technical evaluation in response to a software upgrade to its information systems; or have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
Alaska Department of Health and Social Services – $1.7 million the OCR found that DHSS did not have adequate policies and procedures in place to safeguard ePHI, had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
ComplyAssistant provides IT and compliance consulting services and healthcare compliance software solutions. The software is a compliance management cloud portal that provides guidance, organization, collaboration alerts, and notifications for more effective management and documentation of healthcare compliance activities.