There is nothing subtle or inexpensive when it comes to HIPAA violations. The US Department of Health and Human Services (HHS) publicizes the outcomes on their web site and through press releases that are picked up by media outlets big and small. Read a few and a pattern emerges. Whatever the specifics of the case, the HHS usually criticizes the risk assessment and policy management of the offending organizations.
In mid-August 2016, the HHS Office for Civil Rights (OCR) has stepped up investigations of small breaches impacting fewer than 500 individuals. While the OCR continues to put a priority on large-scale breaches, it is now increasing investigations into smaller breaches with the goal of encouraging HIPAA compliance by organizations regardless of size. Read “OCR to Increase Investigations of Small PHI Breaches”.
Risk Assessment and HIPAA Violations
Here are just a few recent settlements.
Advocate Health Care Network just settled in August 2016 with HHS and its Office for Civil Rights (OCR) for a record $5.55 million for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). According to the press release, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. Read “Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million”.
New York and Presbyterian Hospital and Columbia University settled for $4.8 million. As part of the criticism the HHS stated in their press release that “…neither entity had conducted an accurate and thorough risk analysis that addressed the potential threats and hazards to the security of the ePHI.” In addition, “…NYP failed to implement appropriate policies and procedures for authorizing access to its database and failed to comply with its own policies on information access management.” Read “Data breach results in $4.8 million HIPAA settlements.”
Oregon Health & Science University (OHSU) settled with the HHS for $2.7 million. While OHSU had performed risk analyses, OCR found that these did not cover all ePHI and the organization did not act to address identified risks and vulnerabilities to a reasonable and appropriate level.
Here’s a quote from the press release: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” Read “Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University”.
University of Mississippi Medical Center (UMMC) settled for $2.75 million. According to the press release on this case, among the findings from the OCR’s investigation was that UMMC failed to “implement its policies and procedures to prevent, detect, contain and correct security violations.” Read “Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center.”
Identifying Potential HIPAA Violations through Risk Assessment
Organizations must have a strong risk management program in place to have a chance of complying with HIPAA regulations. This program can test the effectiveness of policy and procedure management within the organization and identify potential exposure. Policies and procedures must be rigorously maintained, accessible and explicitly acknowledged by all affected personnel. Ongoing risk assessments can find weaknesses and lapses that may otherwise go unnoticed. Risk assessments provide a real-time understanding of organizational risk.
Organizations subject to HIPAA rules handle private patient data. They must adhere to strict policies involving personnel and computing to meet the exacting standards set by HHS and OCR or they rish HIPAA violations. Knowing what the risks are and mitigating them are central to adherence. And knowledge begins with risk assessment.
Key HIPAA Risk Assessment Capabilities
It has never been easier to build risk assessments and audits. Assessments can be built in minutes and distributed instantly to exactly the right target audience. Results can be viewed in real time. Surveys are collated automatically and ready for analysis. With such an easy system, ongoing risk assessment is practical and effective. Learn more about how you can improve risk assessment in your organization.