HIPAA-HITECH Security and the cost of ‘nothing’
Fans of Seinfeld know that it was a show about “nothing”. George asks the President of NBC – “What did you do today?”. The answer was something like “I got up and drove to work”, and George replies “There you go, that’s a show!”. The concept of Seinfeld was that even “nothing” was “something”.
The title of this blog says “Why Pay for Nothing?”. What does that mean? How does it relate to Seinfeld and HIPAA-HITECH security? Let’s make the link.
We read about healthcare organizations that get fined by the OCR for basically doing nothing, meaning that they have a general lack of evidence of due diligence for HIPAA. The OCR asks for evidence such as policies and procedures, a recent information security risk assessment and mitigation plan, completed mitigation action items, evidence of workforce training, technical security vulnerability and penetration testing, etc. Of course cyber security tactical simulation and disaster recovery business continuity exercises are key components of evidence too.
So when it comes to HIPAA-HITECH security, unlike Seinfeld, the concept of having “nothing” is NOT “something”. Healthcare organizations do not satisfy HIPAA requirements when it is a “show” about nothing. And they can really pay the price for nothing.
Examples of HIPAA fines
Advocate Health Care – $5.55 million – The office of Civil Rights (OCR) found substantial deficiencies in how Advocate conducted risk assessments of electronic protected health information; how it implemented policies, procedures and facility access controls to limit access to electronic health records; how it oversaw the safeguarding of ePHI by business associates; and how it safeguarded an unencrypted laptop left in an unlocked vehicle overnight.
After conducting an investigation, the OCR concluded that Advocate failed to assess the risks of its ePHI, failed to restrict physical access to its IT systems, and failed to receive written record that its associates would protect Advocate’s ePHI and guard an unencrypted laptop while it was in an unlocked car overnight.
Alaska Department of Health and Social Services – $1.7 million – the OCR found that DHSS did not have adequate policies and procedures in place to safeguard ePHI, had not completed a risk analysis, had not implemented sufficient risk management measures, had not completed security training for its workforce members, had not implemented device and media controls, and had not addressed device and media encryption as required by the HIPAA Security Rule.
Presence Health – $475,000 – In a reminder of HIPAA’s tough requirements for breach notification, federal regulators issued a $475,000 financial settlement and corrective action plan for Chicago-based Presence Health tied to its tardy notification for a 2013 paper records breach affecting only about 800 individuals. In addition to the financial payment, the resolution agreement between OCR and Presence Health calls for the organization to implement a corrective action plan that includes: revising its existing policies and procedures related to breach notification; distributing the updated policies and procedures to Presence Health’s workforce; and providing training to Presence Health’s workforce pertaining to those policies and procedures.
So in just three examples, the penalties totaled approximately $7.73M dollars. That is a lot of money that could have been put to much better use, and HIPAA would have been a much better use, with money to spare.
It is the same old story that the cost of doing nothing can be a lot more expensive than the cost of doing something!
ComplyAssistant provides IT and compliance consulting services and healthcare compliance software solutions. The software is a compliance management cloud portal that provides guidance, organization and collaboration alerts and notifications for more effective management and documentation of healthcare compliance activities.