2018 was a record breaking year for OCR enforcement of HIPAA fines and settlements.
When it comes to HIPAA violations, healthcare organizations for years have gone the way of the ostrich, burying their heads in the sand at the prospect of facing penalties from the Office for Civil Rights (OCR).
But if the last year proved one thing, it’s this: You can run, but continuing to hide is a potentially costly risk.
2018 was a record breaking year for OCR enforcement of HIPAA fines and settlements. On its website, the Department of Health and Human Services clearly communicates its all-time record year: OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.
Reading through these settlements, there are clear takeaways for healthcare organizations everywhere to take note of moving forward. To avoid penalty, properly secure Protected Health Information, and ensure peace of mind, specific actions should be taken by healthcare organizations, regardless of size.
Lessons Learned from 2018: 4 Strategic Moves Healthcare Organizations Should Consider after Record-Breaking Year
1. Train Your Employees.
Lapses in common sense can come at a heavy price. In one case, a medical center was penalized in September 2018 for “inviting film crews on premises to film an ABC television network documentary series without first obtaining authorization from patients.”
Basic, fundamental judgement errors like this, as costly as they can be, can be just as easily avoided. The antidote for this ailment is employee training. Executives, administrative leaders and managers should never assume that certain procedures and policies are well understood. They should be repeated – and repeated again – to resonate.
2. Conduct a Security Risk Analysis.
Year after year, HIPAA enforcement cases include organizations who didn’t complete – or even begin – a Security Risk Analysis. It’s the starting point for any HIPAA compliance and security plan.
In another case, penalized $3.5 million in Feb. 2018, the organization is sited for a failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all its electronic protected health information (ePHI).
This Security Risk Analysis helps you identify, document, and analyze threats and related vulnerabilities that may be exploited and impact the confidentiality, integrity, or availability of ePHI. Compliance mandates & information security standards always require that this analysis be performed regularly.
HIPAA, HITECH Breach Notification and Merit-based Incentive Payment Systems (MIPS) require health organizations to conduct or review their security risk analysis, implement security updates as necessary and identify security deficiencies.
3. Consider a Trusted Partner.
Programs such as Managed Compliance Services can help guide the security and compliance journey for the long-term. With Managed Compliance Services, your blanket of support extends beyond your crucial Security Risk Analysis. Access to a Compliance Portal enables your organization to maintain policies and procedures with an audit log, as well as track potential threats with an ongoing vulnerability scan and compliance dashboard.
Another key element to a reputable Managed Compliance Services agreement is the online and onsite training on HIPAA security for employees (see above).
4. Join our Seminar!
As previously stated, 2018 was a record-breaking year for enforcement of HIPAA fines and settlements and large-scale data breaches. From legal to insurance to IT security, our seminar will cast a panoramic view of HIPAA vulnerability, liability, and enforceability realities you’ll want to know.
We’ll review these 2018 cases settled by OCR and key takeaways from each. We’ll explore cyber liability coverage details, and how it helps mitigate the impact of HIPAA violations. And we’ll share more about the HIPAA Security Risk Analysis, and its necessity in today’s security climate.