HIPAA fines are on the rise, up in 2016, according to several reports. As of the end of August, there were at least 10 HIPAA settlements issued by almost the end of the year’s third quarter. Most fines are expected to come by the end of the year.
Matthew Mellen, security architect at Palo Alto Networks, says that the HIPAA fines are noteworthy, “gaining the attention of both hospitals and business associates, which are persons or entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Despite this fact, he claims, HIPAA settlements continue, accompanied by a resolution agreement between HHS and the covered entity or business associate, which is a long process, consuming as much as three years.
The resolution agreement outlines certain obligations and reports that will be provided to HHS, generally for a period of three years. Any agreement you see posted publicly in 2016 has probably been in the works from at least 2013. There are certainly more in flight right now that will be posted in the upcoming months.
The average HIPAA settlement for the 10 fines issued in 2016 is more than $2 million. Almost all of the penalties were issued for lost or stolen unencrypted laptops that stored PHI, not for hack or breach, as we may have been led to believe based on the overwhelming coverage of the topic.
For those who are audited, there are several steps organizations can take to protect itself. Some of the best steps to take, include (this is an abbreviated list), producing a regular encryption compliance report. That includes all assets in the asset inventory in the review. Then, maintain proof of encryption for all assets. Next, update all patches. When system patches are ready, deploy them, Mellen says, including third-party software like Adobe Acrobat and Flash. “Either upgrade the systems or deploy advanced endpoint protection to prevent them from being compromised,” Mellen writes.
Additionally, he suggests, that healthcare organization leaders review network documentation regularly with a single document depicting an entire network architecture. “Review the current VLANs, VRFs and Zones configured in the environment and any plans for upcoming improvements. Confirm Medical Devices and PCI devices are isolated from the internal network.”
But that’s not all.
Practices must know more.
They must understand what determines a breach and they must determine the nature and extent of PHI involved. In the event that there is a breach practice leaders must identify who the unauthorized individual was who used the PHI and who received the data, and whether they were authorized to do so or not. Then, in the event of an eventual breach, which can lead to fine, they need to determine if the information was actually viewed.
Health IT Security editor, Elizabeth Snell, points out that anything from a lack of a risk assessment to failing to adhere to certain aspects of the HIPAA Security Rule could be key determining factors punishment or a HIPAA fine. Snell reports that the University of Mississippi Medical Center agreed to an HIPAA settlement in July 2016 following a breach affecting 10,000 individuals because the medical center didn’t “take adequate risk management security measures, even after UMMC was aware of certain risks and vulnerabilities to its system.”
Diligence, and timely responses are required, in near immediate real time by practices to avoid the perception of wrong doing.
An example of HIPAA carelessness is found at Oregon Health and Science University because, in one case, it had stored their data using a non-business associate, internet-based service provider Google, specifically, Google Mail and Google Drive, which do not have proper HIPAA security features in place. Google was also not an official business associate. Thus, in instances of PHI, Google is often rarely a friend.
Audits and fines will continue to increase. Practices must be diligent, and take responsibility for the protection and use of the health information they collect, now more than ever.