Never in recent years has it been so vital to stay current on Health Insurance Portability and Accountability Act (HIPAA) regulations. 2016 brought 13 settlements and nearly tripled 2015’s total collected fines. Currently, the average settlement amount is continuing to surpass 2016, and nine actions have already been settled in 2017.
How to Avoid a HIPAA Violation
The recent increase in enforcement of HIPAA violations has shown several factors to be mindful of. Being aware of and following these suggestions can help avoid a HIPAA violation and potential subsequent fine.
1.) Frequent Risk Analysis Checks
In 2017, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) implemented in their corrective action plans that regular risk analyses must be conducted by organizations subject to HIPAA. These should evaluate any risk or weaknesses in the organizations ePHI environment, in accordance with the Security Rule. The Guidance on Risk Analysis Requirements under the HIPAA Security Rule, along with available OCR guidelines, should be considered when conducting the risk analysis. It is understood that such an analysis will vary based on an organizations size and capacity, and therefore the Security Rule does not dictate a specific methodology.
2.) Risk Management Plan Implementation and Safeguards
A risk management plan and subsequent safeguards put into place after identifying any risks or vulnerabilities are just as essential as conducting the risk analysis. There was a case last year in which a hospital continued using unencrypted devices after reporting the loss of an unencrypted, non-password protected device which resulted in a breach in 2009, and the OCR issued the hospital a $3.2 million civil monetary penalty. While OCR enforcement actions typically result in a settlement as opposed to a penalty, in this case, the hospital preferred not to negotiate with OCR and instead chose to pay the penalty.
3.) Promptly Report Breaches
The first HIPAA settlement based on failure to report or notify the OCR of a breach under the HIPAA Breach Notification Rule was announced in January. The healthcare network in question was found by the OCR to have unreasonably delayed notification of the breach to OCR, the media, and the affected parties within the required 60-day statute. It was over 100 days after the discovery of the breach before the notifications were made. This settlement shows how critical it is that employees have been properly trained on HIPAA policies and procedures so that breach notification timeframes are upheld.
Web Tool Improvements Released by OCR
An updated web tool was recently released by OCR to provide the HIPAA breach reporting tool with enhanced transparency. The improvements include tips for consumers, older data breach archiving, a list of all breaches currently under investigation/reported within the last two years, and navigation to additional breach information.
CinchIT routinely assists our clients with executing HIPAA compliance strategies, understanding and managing data breach notification requirements, and reacting to OCR investigations and audits.